Privilege Escalation With CyberArk Credentials

Required User Role: Standard, Scan Manager, or Administrator

Tenable Nessus Manager supports the use of privilege escalation, such as su and sudo, when using SSH through the CyberArk authentication method.

Before you begin:

Ensure you have both a Tenable Nessus Manager and CyberArk account.

To configure SSH integration:

Log in to Tenable Nessus Manager.
In the left navigation plane, click Scans.

The Scans page appears.
Click + New Scan.

The Scan Templates page appears.
Select a Scan Template.

The selected scan template appears.
In the Name box, type a name for the scan.
In the Targets box, type an IP address, hostname, or range of IP addresses.
(Optional) Add a description, folder location, scanner location, and specify target groups.
Click the Credentials tab.

The Credentials options appear.
In the left-hand menu, select SSH.
Click Authentication method.

A drop-down appears.
Select CyberArk.
An option for CyberArk elevate privileges with appears near the bottom of the configuration page.

Note: Multiple options for privilege escalation are supported, including su, su+sudo and sudo. For example, if sudo is selected, additional fields for sudo user, Get Escalation Credential By, and Location of sudo (directory) are provided and can be completed to support authentication and privilege escalation through CyberArk Password Vault.

Note: Additional information about all of the supported privilege escalation types and their accompanying fields can be found in the Nessus User Guide.
Configure each field for SSH authentication. Refer to the Nessus User Guide to get detailed descriptions for each option.

Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.
Click Save.