Minimum access for RHEL CIS Policy Scan

Hi All,

Just wanted to check around if anyone is using InsightVM to run CIS benchmark policy scans on RHEL servers? If we are not comfortable in giving root level access to service account, what’s the minimum set of command access we can give to service account in sudoers file to achieve the best possible scan outcome?

Appreciate if anyone can help.

Hi vsingh,

Policy scanning can be quite difficult to scope down the permissions as the permissions and commands ran by the policy will change with each version. Running policy scanning will root level access is a good way to check if the policy works but as you have pointed out the best practice would then be to scope down the permissions.

To identify the commands that you should allow you could tailor the scan template to run only the policy during the scan and check the checkbox for “store SCAP data”. You can then download and search the log package from that scan for the specific commands being ran. You should see ACES logs inside the log package which will show the commands ran and the responses from the system. Searching for permission issues should allow you to build out a list of minimum permission, however this is a very trial and error approach and new versions of the policy may require more permissions etc.

Hope this helps provide a bit more information around troubleshooting policy permissions.

Agree with Connor’s response. Also wanted to add, future RHEL updates may require additional future commands, so sudo access is future-proof.

The solution to the problem may be the Scan Assistant, is there any planned date of release Linux version?