For authenticated scanning of Cisco ASA devices you'll need to provide a user account with privilege level 15 (recommended) or an account with a lower privilege level as long as the account has been configured so that it's able to execute all of the commands that are required for scanning these devices.
Important - Please be aware that sensitive configurations could be at risk when you grant access to commands to a user account with a lower privilege level. Please assign the appropriate privilege level per your business needs and your organization's security policies.
For compliance scanning - this high level of privileges is required for the scan to be successful.
For vulnerability scanning - this high level of privileges is required for configuration based checks only. The configuration QID for Cisco ASA is QID 45245 "Cisco ASA Device Configurations Detected".
show running-config all
show logging
show clock detail
show version
show crypto key mypubkey rsa
show snmp user
show snmp group
show software authenticity running
show interface ip brief
Note - The commands listed above may not show the required output. This will depend on the customer configuration, except for "show version" and "show running-config all" commands. The compliance scan will fail if "show running-config all" doesn't have any output.
By default, only privilege level 15 supports the command "show running-config all" for Cisco ASA which would mean that our compliance scan can only be run using privilege 15. However, you can configure privilege levels for different users to grant different types of access. We require a user account that can run all of the commands required for scanning listed above.
Here's an example of how you can give access to a user with privilege level 14.
Note that the command "show running-config all" is executed successfully for the user with privilege level 15, but an Error appears for a user with privilege level 14 since the command is not supported for the lower privilege level.
User with privilege level 15 |
User with lower privilege level |
asa-device# show curpriv Username : root Current privilege level : 15 Current Mode/s : P_PRIV asa-device# show running-config all : Saved : : Serial Number: xxxxxxxxxxx : Hardware: ASAXXXX, 512 MB RAM, CPU Geode 500 MHz : ASA Version x.x(x) ! .... .... |
asa-device# show curpriv Username : priv14 Current privilege level : 14 Current Mode/s : P_PRIV asa-device# show running-config all ^ ERROR: % Invalid input detected at '^' marker. ERROR: Command authorization failed |
As shown, only privilege level 15 users can execute "running-config".
running-config command |
asa-device# show running-config all privilege all | include running-config privilege show level 15 mode exec command running-config |
Give access to the privilege level 14 user by using the following command.
Command to grant access |
asa-device# conf t asa-device(config)# privilege show level 14 mode exec command running-config asa-device(config)# exit asa-device# show running-config all privilege all | include running-config privilege show level 14 mode exec command running-config |
Now compare the output of the command "show running-config all" and you'll see that it's successful for both users with different privilege levels. Note - The output you get on your targets may differ due to different versions and configurations.
User with privilege level 15 |
User with lower privilege level |
asa-device# show curpriv Username : root Current privilege level : 15 Current Mode/s : P_PRIV asa-device# show running-config all : Saved : : Serial Number: xxxxxxxxxxx : Hardware: ASAXXXX, 512 MB RAM, CPU Geode 500 MHz : ASA Version x.x(x) ! .... .... |
asa-device# show curpriv Username : priv14 Current privilege level : 14 Current Mode/s : P_PRIV asa-device# show running-config all : Saved : : Serial Number: xxxxxxxxxxx : Hardware: ASAXXXX, 512 MB RAM, CPU Geode 500 MHz : ASA Version x.x(x) ! .... .... |