SSH Integration

To configure SSH integration:

  1. Log in to Tenable Nessus Manager.
  2. Click Scans.
  3. Click + New Scan.

    The Scan Templates page appears.

  4. Select a Scan Template.

    The selected scan template appears.

  1. In the Name box, type a name for the scan.

  2. In the Targets box, type an IP address, hostname, or range of IP addresses.
  3. (Optional) Add a description, folder location, scanner location, and specify target groups.
  1. Click the Credentials tab.

    The Credentials options appear.

  2. In the left-hand menu, select SSH.
  3. Click Authentication method.

    A drop-down appears.

  4. Select CyberArk.

    The CyberArk SSH options appear.

  5. Configure each field for SSH authentication.

    Option Description Required
    CyberArk Elevate Privileges With

    The privilege escalation method you want to use to increase users' privileges after initial authentication. Your CyberArk Elevate Privileges With selection determines the specific options you must configure. For more information, see Privilege Escalation.

    no

    CyberArk Host

    The IP address or FQDN name for the CyberArk AIM Web Service.

    yes

    Port

    The port on which the CyberArk API communicates. By default, Tenable uses 443.

    yes

    AppID

    The Application ID associated with the CyberArk API connection.

    yes

    Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.

    no

    Client Certificate Private Key The file that contains the PEM private key for the client certificate.

    yes, if private key is applied

    Client Certificate Private Key Passphrase The passphrase for the private key, if required.

    yes, if private key is applied

    Kerberos Target Authentication

    If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.

    no

    Key Distribution Center (KDC)

    (Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.

    yes

    KDC Port

    (Required if Kerberos Target Authentication is enabled.) The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.

    no yes

    KDC Transport

    (Required if Kerberos Target Authentication is enabled.) The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

    no yes

    Realm

    (Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com). By default, Tenable ApplianceTenable Security Center uses 443.

    yes

    Get credential by

    The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address.

    Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.

    Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.

    yes
    Username

    (If Get credential by is Username) The username of the CyberArk user to request a password from.

    no
    Safe

    The CyberArk safe the credential should be retrieved from.

    no
    Address The option should only be used if the Address value is unique to a single CyberArk account credential. no
    Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no

    Use SSL

    If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.

    no

    Verify SSL Certificate

    If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.

    no

    CyberArk credential field mapping to the CyberArk Accounts detail view in the CyberArk console:

  1. Click Save.

Verification

  1. To verify the integration is working, click the Launch button (highlighted below) to initiate an on-demand scan.

  2. Once the scan has completed, select the completed scan. Look for the corresponding ID (see chart below), which validates that authentication was successful. If the authentication is not successful, refer to the Debugging CyberArk Issues section of this document.