Hi,
Hope this is still relevant, and maybe it can help someone later.
Here are some steps I would recommend working on with the Risk department to ensure smooth authenticated scans:
Work with the Risk department to ensure only the necessary commands are included in the scan for devices, and confirm that these commands are read-only to prevent accidental changes to the configuration.
Review and tighten the user permissions on the device to make sure the scan account has only the required access (preferably read-only). This limits potential risks and ensures that no unauthorized changes can be made during the scan.
Schedule scans during off-peak times to minimize the impact on production traffic (if possible, of course — there could be cases where this is not feasible depending on the environment and priorities).
Run a test scan first to verify that the desired information is being gathered without causing performance issues or accidental configuration changes. This step will help identify any issues before the actual scan is performed.
There could very well be a correlation between certain commands, such as show crypto * and show version, for example. These commands are often used to check for security vulnerabilities related to specific ciphers/encryptions for the device’s version.
Another example might be running commands like show mka session, show run, show authentication *, and show log, which can be helpful to see which ciphers are used for MACsec, or to check connectivity between devices to ensure they are protected by MACsec and that the session is functioning properly.
Of course, there are many other variations depending on what specific information is being sought.
