What information does the Akeyless PAM integration collect?

The Akeyless PAM integration gathers target credentials for use in credentialed scans. Specifically, it collects:

  • Username: The account name used to authenticate to the scan target.

  • Password: The password for the account, retrieved from the Akeyless secret.

  • Escalation Password: If privilege escalation is configured with a separate escalation credential, then an escalation password is collected. The integration does not collect escalation usernames. Enter escalation usernames manually.

  • SSH private key: For SSH-based scans where the secret contains a private key instead of a password.

  • Domain: Optionally retrieved from the secret or from the manually-entered values.

The integration does not collect or transmit vulnerability data. It only retrieves the credentials needed by the scanner to authenticate to the target system.

API requests per target

The integration makes two API requests to Akeyless per scan target: one request to authenticate and obtain an access token, and one request to retrieve the secret value. If privilege escalation is configured with a separate escalation credential, one additional secret retrieval request is made. The integration caches retrieved credentials for the duration of the scan to avoid repeated requests for the same secret.

Credentialed scans

Credentialed scans allow the Tenable scanner to log into the target system directly and perform a deeper assessment than is possible without credentials. This includes checking installed software versions, configuration settings, patch levels, and compliance status.

What the Akeyless PAM integration does not collect

The Akeyless PAM integration is not designed to collect vulnerability data, software inventory, or configuration details from target systems. It only retrieves credentials that the scanner then uses for target authentication. If privilege escalation is configured, the integration does not collect escalation usernames. Enter escalation usernames manually.

Note: To perform compliance audits on target systems, configure additional audit files in your scan policy. The Akeyless PAM integration provides the credentials; compliance audit files define what is checked.

Akeyless PAM integration limitations

  • The integration supports static, rotated and dynamic Akeyless secret types.

  • Store other secrets as JSON objects containing at minimum a password field, an ssh_key field, or plain text. Secrets using other structures may not be parsed correctly.

  • All scan targets using the same credential must share the same Akeyless secret path (Credential ID). To use different credentials for different targets, configure separate scan credentials.

  • The Akeyless host must be network-accessible from the Tenable Nessus scanner.