Enable authenticated security scans

General consideration

Each and every INFN Cloud virtual machine is periodically and automatically scanned, in search of security issues.

These scans are performed in an unauthenticated form, i.e. security-related information are collected from outside the virtual machine by contacting it over the network.

In general, these scans are powerful enough to identify a discrete number of security issues, but not all: software installed on the VM that is not usually exposed to the network can still be unsecure and used by malicious users to gain unauthorized control of the virtual machine.

For these reasons, authenticated security scans allow to perform additional checks by logging into the virtual machine.

Users willing to have a higher security level of their deployment are encouraged to enable authenticated security scans.

Enable authenticated security scans

To enable authenticated security scans, you can follow the procedure described here, which is also reported below.

  1. connect via ssh to your deployment
  2. gain root access
sudo -i
  1. copy the script from https://baltig.infn.it/infn-cloud/users_utils/-/raw/main/enable-authenticated-scans.sh
curl -LO https://baltig.infn.it/infn-cloud/users_utils/-/raw/main/enable-authenticated-scans.sh
chmod +x enable-authenticated-scans.sh
  1. execute the script. It creates the “scans” unprivileged user on the virtual machine and allows the automatic scan system to log in via its public ssh key:
./enable-authenticated-scans.sh