RSA Product /Service Type: Authentication Manager
RSA Version/Condition: 8.x
The following steps are recommended prior to running a vulnerability scan ( such as Nessus, Qualys Rapid7, etc. ) against RSA Authentication Manager.
- Ensure you are running the latest RSA Authentication Manager software version available. Authentication Manager software updates and patches are available for download from the RSA Community. Please follow the documented procedure for installing a software update or patch. Failure to follow a documented procedure could make the Authentication Manager unstable or break.
- Secure shell (SSH) is disabled by default on Authentication Manager. Secure shell should only be enabled where it is required for maintenance or troubleshooting technical issues and disabled when these tasks are complete. Disable secure shell via the Operations Console > Administration > Operating System Access.
- The Authentication Manager server is using a hardened operating system and is designed to have one Linux account to access the operating system. This Linux account is called 'rsaadmin'. RSA does not support adding additional Linux accounts to the operating system.
- Vulnerability scans can be resource intensive so consider running a vulnerability scan outside of peak business hours.
- Please refer to your vulnerability scanner documentation on how to run a vulnerability scan of a Linux server using the 'rsaadmin' account.
- Run the vulnerability scan and review the results.
For more information on security best practices and system hardening, please refer to the RSA Authentication Manager 8.x Security Configuration Guide.
The RSA Vulnerability Response Policy is available at URL https://www.rsa.com/vulnerability-response-policy/.
Where a customer is running the latest software version of an RSA Authentication Manager and there are further concerns on any vulnerabilities found in the vulnerability scan then this can be further investigated by RSA.
Please submit the list of CVEs and CVE descriptions to RSA Customer Support.
Submitted vulnerabilities should have a CVE number, where applicable. Please include the vulnerability scan report, the make/model of vulnerability scanner used, and a list of the CVEs in CSV format.
For example:
“CVE Number 2”,”CVE Description 2”
Related Articles
Best practices for RSA Authentication Manager 8.x Number of Views RSA response to Fox-IT report and Best Practices for RSA SecurID Number of Views Best Practices to Mitigate Password-Spraying Attacks Number of Views KCA Apache web server showing security vulnerability with scan due patch level/version Number of Views Advisory regarding vulnerabilities reported by Oracle Java CVEs for applications running untrusted code Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
