Just wanted to check around if anyone is using InsightVM to run CIS benchmark policy scans on RHEL servers? If we are not comfortable in giving root level access to service account, what’s the minimum set of command access we can give to service account in sudoers file to achieve the best possible scan outcome?
Policy scanning can be quite difficult to scope down the permissions as the permissions and commands ran by the policy will change with each version. Running policy scanning will root level access is a good way to check if the policy works but as you have pointed out the best practice would then be to scope down the permissions.
To identify the commands that you should allow you could tailor the scan template to run only the policy during the scan and check the checkbox for “store SCAP data”. You can then download and search the log package from that scan for the specific commands being ran. You should see ACES logs inside the log package which will show the commands ran and the responses from the system. Searching for permission issues should allow you to build out a list of minimum permission, however this is a very trial and error approach and new versions of the policy may require more permissions etc.
Hope this helps provide a bit more information around troubleshooting policy permissions.