Our scan credentials are stored in CyberArk, and InsightVM is integrated with CyberArk to fetch credential.
The credential for the SSH account is rotated by CyberArk everyday.
We want to use sudo to elevate access of this account to root, however to use sudo we need to enter password of this account again in InsightVM.
Given the password of this account changes everyday, the elevation to root via sudo fails.
How can we achieve elevation to root via sudo in this use case? Any help from anyone will be much appreciated.
There is a security rick associated with it, but in your sudoers file you can set the commands you want to run with NOPASSWORD, this will allow you to sudo without entering the password again.
Once again, I wan you to look into the risk associated with this and don’t make the switch uninformed.
Hi Brandon, Yes I agree that can be a solution, but as you mentioned we don’t want to implement this solution due to the risk associated with NOPASSWD configuration.
I don’t understand why Rapid7 kept the field of sudo password on console even after selecting CyberArk.
Ideally Rapid7 should call CyberArk for elevation password as well given its same as initial password.
I have raised a support case for this, but I believe eventually it will go as a feature request.
From my perspective its a bad design!