Security

I'm dealing with the "powers that be" and they want to do routine, automated scans of my ClearPass Platform 6.11.x system with a Nessus agent and I have to prove that this simply isn't possible.  What would be perfect is a statement out of Aruba that this isn't possible but that I can't find.  Barring that can anybody point to a tech doc that specifies how one elevates privileges on the system so I can show them that this involves a one time password and the direct involvement of Aruba Tech Support so automated scanning isn't possible.  On other systems the Tenable Nessus agent does a ssh to the system then via sudo elevates to root privileges  and then scan the system looking at RPMs and configuration issues to produce a report about the vulnerabilities on the system.

Having worked with Aruba's Tech Support to do simple things as root I just can't see how this can be done but I need proof.

Sorry for the strange request -

M-

There is no (full) shell access in ClearPass, just the appadmin access to the configuration shell (menu driven, hardened).

It's not possible to install your own packages on ClearPass, because it's not a general purpose operating system but a hardened security appliance.

You can check the ClearPass hardening guide for the available accounts (page numbered 34 and further) and find that there is no root access or even full shell access, except for TAC and then only with cooperation of the customer.

For vulnerabilities, your security team can use the Aruba Support Portal.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 28, 2023 04:26 PM
From: mwfolso
Subject: Scanning CP Platform 6.11.x with an external Tenable Nessus scanner

I'm dealing with the "powers that be" and they want to do routine, automated scans of my ClearPass Platform 6.11.x system with a Nessus agent and I have to prove that this simply isn't possible.  What would be perfect is a statement out of Aruba that this isn't possible but that I can't find.  Barring that can anybody point to a tech doc that specifies how one elevates privileges on the system so I can show them that this involves a one time password and the direct involvement of Aruba Tech Support so automated scanning isn't possible.  On other systems the Tenable Nessus agent does a ssh to the system then via sudo elevates to root privileges  and then scan the system looking at RPMs and configuration issues to produce a report about the vulnerabilities on the system.

Having worked with Aruba's Tech Support to do simple things as root I just can't see how this can be done but I need proof.

Sorry for the strange request -

M-