Database Auto-Discovery
You need to configure new user interface field properties in addition to the default account properties in CyberArk and PrivateArk, as database authentication requires additional data. Port and Database are already available, but some database platforms in CyberArk need these added to the user interface properties. AuthType and ServiceType are new, so you must add them to PrivateArk first, then configure them to the applicable database platform type user interface properties in CyberArk Web console.
Note: The Address field in the CyberArk Account Details for an account/host must contain a valid IP/FQDN and must be resolvable on the user’s network. This value is vetted during the collection and discovery process. Address values that are null or unresolvable will not be added to the scan.
Note: All Database Type in Tenable are supported. (Oracle, DB2, Cassandra, MySQL, PostgreSQL, Sybase ASE, MongoDB, and SQL Server)
View the following tables for necessary fields and Database Types they apply to.
Oracle
Field name | Description | Field value |
---|---|---|
Port |
The port database instance is running on. |
Example: 1521 |
AuthType |
Method to authenticate to database. |
SYSDBA or SYSOPER or NORMAL |
Database |
Instance or database name. |
Example: orcl |
ServiceType |
Type of service on database. |
SID or SERVICE_NAME |
MongoDB
Field name | Description | Field value |
---|---|---|
Port |
The port database instance is running on. |
Example: 27017 |
Database |
Instance or database name. |
Example: MongoDB 5 |
PostgreSQL
Field name | Description | Field value |
---|---|---|
Port |
The port database instance is running on. |
Example: 5432 |
Database |
Instance or database name. |
Example: Postgre |
Cassandra
Field name | Description | Field value |
---|---|---|
Port |
The port database instance is running on. |
Example: 9042 |
DB2
Field name | Description | Field value |
---|---|---|
Port |
The port database instance is running on. |
Example: 50000 |
Database |
Instance or database name. |
Example: DB2_admin |
MySQL
Field name | Description | Field value |
---|---|---|
Port |
The port database instance is running on. |
Example: 3306 |
SQL Server
Field name | Description | Field value |
---|---|---|
Port |
The port database instance is running on. |
Example: 1433 |
AuthType |
Method to authenticate to database. |
Windows or SQL |
Database |
Instance or database name. |
Example: SQLEXPRESS |
Requirements:
- CyberArk account
- Nessus Manager account
To configure database auto-discovery:
-
Log in to Tenable Security Center.
-
Click Scans.
The My Scans page appears.
-
Click + New Scan.
The Scan Templates page appears.
-
Select a Scan Template. For demonstration, the Advanced Network Scan template is used.
The scan configuration page appears.
- In the Name box, type a name for the scan.
- In the Targets box, type an IP address, hostname, or range of IP addresses.
-
(Optional) Add a description, folder location, scanner location, and specify target groups.
-
Click the Credentials tab.
The Credentials pane appears.
-
Click the Database option.
The Database options appear.
-
From the Database Type drop-down, select Oracle.
-
From the Auth Type drop-down, select CyberArk Database Auto-Discovery.
The CyberArk Database Auto-Discovery field options appear:
-
Configure each field for the Database authentication.
Option Description Required CyberArk Host
The IP address or FQDN name for the user’s CyberArk Instance.
yes
Port
The port on which the CyberArk API communicates. By default, Tenable uses 443.
yes
AppID
The Application ID associated with the CyberArk API connection.
yes
Safe Users may optionally specify a Safe to gather account information and request passwords.
no AIM Web There are two authentication methods established in the feature. IIS Basic Authentication and Certificate Authentication. Certificate Authentication can be either encrypted or unencrypted. yes
CyberArk PVWA Web UI Login Name Username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. yes
CyberArk PVWA Web UI Login Password Password for the username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. yes
CyberArk Platform Search String String used in the PVWA REST API query parameters to gather bulk account information. For example, the user can enter Oracle Admin TestSafe, to gather all Oracle platform accounts containing a username Admin in a Safe called TestSafe.
Note: This is a non-exact keyword search. A best practice would be to create a custom platform name in CyberArk and enter that value in this field to improve accuracy.
yes Use SSL
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.
yes
Verify SSL Certificate
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.
no
Caution: Tenable strongly recommends encrypting communication between your on-site scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Tenable Security Center User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).
- Click Save.