Recently Viewed Topics
You can use credentials to grant the Tenable.io scanner local access to scan the target system without requiring an agent. Credentialed scans can perform a wider variety of checks than non-credentialed scans, which can result in more accurate scan results. This facilitates scanning of a very large network to determine local exposures or compliance violations.
Credentialed scans can perform any operation that a local user can perform. The level of scanning depends on the privileges granted to the user account. The more privileges the scanner has via the login account (e.g., root or administrator access), the more thorough the scan results.
Tenable.io leverages the ability to log into remote Unix hosts via Secure Shell (SSH); and with Windows hosts, Tenable.io leverages a variety of Microsoft authentication technologies. Note that Tenable.io also uses the Simple Network Management Protocol (SNMP) to make version and information queries to routers and switches.
You can create and configure credentials in an individual scan or in the credential manager. For more information, see Managed Credentials.
In the Credentials page of a scan or policy, you can configure Tenable.io to use the following types of authentication credentials during scanning:
- Cloud Services.
- Database, which includes MongoDB, Oracle, MySQL, DB2, PostgreSQL, and SQL Server.
- Host, which includes Windows logins, SSH, and SNMPv3.
- Miscellaneous, which includes VMware, Red Hat Enterprise Virtualization (RHEV), IBM iSeries, Palo Alto Networks PAN-OS, and directory services (ADSI and X.509).
- Mobile Device Management.
- Patch Management servers.
- Plaintext authentication mechanisms including FTP, HTTP, POP3, and other services.
Note: Tenable.io opens several concurrent authenticated connections. Ensure that the host being audited does not have a strict account lockout policy based on concurrent sessions.
Note: By default, when creating credentialed scans or polices, hosts are identified and marked with a Tenable Asset Identifier (TAI). This globally unique identifier is written to the host's registry or file system, and subsequent scans can retrieve and use the TAI.
This option is enabled (by default) or disabled in the Advanced -> General Settings of a scan or policy's configuration settings: Create unique identifier on hosts scanned using credentials.