Debugging CyberArk

To enable debugging when you configure a scan in Nessus, go to Settings->Advanced->Debug Settings and Check Enable plugin debugging. If an issue is found, review the results of plugin Debugging Log Report (84239). If debug output for the system exists in the debug log, one or more of the following files will be present:

  • logins.nasl: Used for Windows credentials. Shows higher level failures in Windows authentication
  • logins.nasl~CyberArk: Used to output specific CyberArk- related debug information
  • ssh_settings: Used for SSH credentials. Shows higher level failures in SSH authentication
  • ssh_settings~CyberArk: Used to output specific CyberArk-related debug information

Example of output:

[2015-11-17 22:17:04] HTTP/1.1 500 Internal Server Error returned
[2015-11-17 22:17:04] HTTP 500 : Server was unable to process request. ---> APPAP004E Password object matching query [Safe=Unix Accounts;UserName=credtester;Folder=Root;Address=192.0.2.26] was not found (Diagnostic Info: 5). Please check that there is a password object that answers your query in the Vault and that both the Provider and the application user have the appropriate permissions needed in order to use the password.
[2015-11-17 22:17:04] HTTP/1.1 500 Internal Server Error returned
[2015-11-17 22:17:04] HTTP 500 : Server was unable to process request. ---> APPAP004E Password object matching query [Safe=Unix Accounts;UserName=admin;Folder=Root;Address=192.0.2.26] was not found (Diagnostic Info: 5). Please check that there is a password object that answers your query in the Vault and that both the Provider and the application user have the appropriate permissions needed in order to use the password.
[2015-11-17 22:17:04] HTTP/1.1 500 Internal Server Error returned
[2015-11-17 22:17:04] HTTP 500 : Server was unable to process request. ---> APPAP229E Too many password objects matching query [Safe=Unix Accounts;UserName=admin;Folder=Root] were found: (Safe=Unix Accounts;Folder=Root;Object=Operating System-WinDesktopLocal-192.0.2.205-admin, Safe=Unix Accounts;Folder=Root;Object=Operating System-WinDesktopLocal-192.0.2.66-admin and more. See trace log for more information). (Diagnostic Info: 41)

The Nessus Priority Scanning for CyberArk section shows that a single system may send multiple requests that fail before finding a successful one. Because of this, the output to the debugging log may not show an issue with the scan, but it can be used as an audit trail if there is an issue. To address issues using the log, look for the parameters to match the intended query and see what error output was reported for that query. For example, if you intended to scan target 192.0.2.66 using parameters of (Safe=Unix Accounts;UserName=admin;Folder=Root), then you could discern from the log above that the reason the scan failed is because there were too many matching items to this query, and therefore no results were returned.