Scan Results Review

This section can help you interpret the results of your scans and debug failures.

Plugin Families and Plugins

The CyberArk integration is available for several different credential types, but in all cases the Privileged Access management (PAM) integration executes within the credential’s specific “settings” plugin, which is found in the “Settings” family.

The plugins that call the CyberArk integration are:

  • Windows: logins.nasl

  • SSH: ssh_settings.nasl

  • Database: database_settings.nasl

  • Nutanix: nutanix_settings.nasl

  • VMware vCenter: vmware_vcenter_settings.nasl

  • VMware ESXi: vmware_soap_settings.nasl

  • SNMPv3: snmp_settings.nasl

  • Auto Discovery Only:

    • pam_database_auto_collect.nasl

    • pam_ssh_auto_collect.nasl

    • pam_smb_auto_collect.nasl

Debug Log Reporting

To find debug logs specific to the CyberArk integration, look for logs within the Debugging Log Report plugin output. The plugin output will contain debugging logs for the Nessus plugins, including the respective “settings” plugins which use the CyberArk integration. Users will see logs in the debug log reporting for the associated plugin with ~CyberArk appended to it. For example, for SSH settings, debugging logs are found in “ssh_settings.nasl~CyberArk”.

For CyberArk credentials with “Auto-Discovery”, additional collection logs can be found in the Debugging Log. Reporting is logged for each particular host in the following logs:

  • Database: pam_database_collect.nbin~CyberArk

  • SSH: pam_ssh_collect.nbin~CyberArk

  • Windows: pam_smb_collect.nbin~CyberArk

The debug logs for CyberArk will contain the details of how the settings plugin communicated with the PAM API. If an error occurred, its details are included in this log file. Errors may result in credentialed checks for the target failing. Common causes of errors include:

  • Incorrect client certificate

  • Error verifying CyberArk SSL certificate

  • Incorrect value given for Object Identifier, Username, or Safe.

  • Scanner unable to connect to CyberArk API

  • Incorrect permissions

The Tenable Vulnerability Management Priority Scanning for CyberArk section shows that a single system may send multiple requests that fail before finding a successful one. Because of this, the output to the debugging log may not show an issue with the scan, but it can be used as an audit trail if there is an issue. To address issues using the log, look for the parameters to match the intended query and see what error output was reported for that query. For example, if you intended to scan target 192.0.2.66 using parameters of (Safe=Unix Accounts;UserName=admin;Folder=Root), then you can discern from the previous log that the reason the scan failed is because there were too many matching items to this query, and therefore no results were returned.