SSH Integration
To configure SSH integration:
- Log in to Tenable Nessus Manager.
- Click Scans.
-
Click + New Scan.
The Scan Templates page appears.
-
Select a Scan Template.
The selected scan template appears.
-
In the Name box, type a name for the scan.
- In the Targets box, type an IP address, hostname, or range of IP addresses.
- (Optional) Add a description, folder location, scanner location, and specify target groups.
-
Click the Credentials tab.
The Credentials options appear.
- In the left-hand menu, select SSH.
-
Click Authentication method.
A drop-down appears.
-
Select CyberArk.
The CyberArk SSH options appear.
-
Configure each field for SSH authentication.
Option Description Required CyberArk Elevate Privileges With The privilege escalation method you want to use to increase users' privileges after initial authentication. Your CyberArk Elevate Privileges With selection determines the specific options you must configure. For more information, see Privilege Escalation.
no CyberArk Host
The IP address or FQDN name for the CyberArk AIM Web Service.
yes
Port
The port on which the CyberArk API communicates. By default, Tenable uses 443.
yes
AppID
The Application ID associated with the CyberArk API connection.
yes
Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host. no
Client Certificate Private Key The file that contains the PEM private key for the client certificate. yes, if private key is applied
Client Certificate Private Key Passphrase The passphrase for the private key, if required. yes, if private key is applied
Kerberos Target Authentication
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.
no
Key Distribution Center (KDC)
(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.
yes
KDC Port
KDC Transport
Realm
(Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com). By default, Tenable ApplianceTenable Security Center uses 443.
yes
Get credential by The method with which your CyberArk API credentials are retrieved. Can be Address, Identifier, Parameters, or Username.
Note: For more information about the Parameters option, refer to the Parameters Options table.
Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.
yes Username (If Get credential by is set to Username) The username of the CyberArk user to request a password from.
no Safe The CyberArk safe the credential should be retrieved from.
no Address The option should only be used if the Address value is unique to a single CyberArk account credential. no Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no Use SSL
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.
no
Verify SSL Certificate
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.
no
Targets to Prioritize Credentials Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.
Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.
no Parameters Options
The following options can be specified when Get Credential By is set to Parameters. These request parameters allow for advanced filtering of accounts based on their properties. The options correspond to the various options supported by the CyberArk REST API, as found in CyberArk documentation. These options can be specified in many different combinations to filter account results by their properties. For example, specifying Root as the Folder option results in a REST API query containing &Folder=Root.
Option Description Required Safe
The safe containing the credential.
no
Address
Limit the query to accounts matching the specified address.
no
Use Target IP Address
(Optional) When enabled, the integration appends the target address to the credential query, which limits the query to accounts matching the scan target’s address. This is ignored if Address is set.
no
Username The username of the credential. no
Account Name The unique identifier assigned to the credential. no
Folder The folder of the credential. no
Database
The database of the credential.
no
Query
Specify a custom “free query” using account properties. When this method is specified, all other search criteria are ignored.
no
Query Format
Defines the query format. allowed values are Exact and Regexp. The default is Exact. This value is ignored unless the Query option was specified.
no
CyberArk credential field mapping to the CyberArk Accounts detail view in the CyberArk console:
-
Click Save.
Verification
-
To verify the integration is working, click the Launch button (highlighted below) to initiate an on-demand scan.
-
Once the scan has completed, select the completed scan. Look for the corresponding ID (see chart below), which validates that authentication was successful. If the authentication is not successful, refer to the Debugging CyberArk Issues section of this document.
