SSH (Legacy) Privilege Escalation Integration
To configure SSH integration:
- Log in to Tenable Security Center.
-
In the top navigation bar, click Scanning.
A menu appears.
-
Click Credentials.
The Credentials page appears.
-
In the SSH section, click CyberArk Vault.
The Add Credential page appears.
-
In the CyberArk Vault Credentials section, click Privilege Escalation.
The Privilege Escalation options appear.
Option Description Required Username
The username of the target system.
yes
CyberArk AIM Service URL
The URL for the CyberArk AIM web service. By default, Security Center for CyberArk uses /AIMWebservice/v1.1/AIM.asmx.
no
Central Credential Provider Host
The CyberArk Central Credential Provider IP/DNS address.
yes
Central Credential Provider Port
The port on which the CyberArk Central Credential Provider is listening.
yes
Central Credential Provider Username
The username of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication.
no
Central Credential Provider Password
The password of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication.
no
Safe
The safe on the CyberArk Central Credential Provider server that contained the authentication information that you want to retrieve.
yes
CyberArk Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host. no
CyberArk Client Certificate Private Key The file that contains the PEM private key for the client certificate. no
CyberArk Client Certificate Private Key Passphrase The passphrase for the private key, if required. no
AppId
The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.
yes
Folder
The folder on the CyberArk Central Credential Provider server that contains the authentication information that you want to retrieve.
yes
PolicyId
The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider.
no
Use SSL
If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication.
no
Verify SSL Certificate
If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate check this. Refer to custom_CA.inc documentation for how to use self-signed certificates.
no
CyberArk Account Details Name The unique name of the credential you want to retrieve from CyberArk. no
CyberArk Address The domain for the user account. no
CyberArk elevate privileges with The privilege escalation method you want to use to increase users' privileges after initial authentication. Your selection determines the specific options you must configure. no
Custom password prompt The password prompt used by the target host. Only use this setting when an interactive SSH session fails due to Security Center for CyberArk receiving an unrecognized password prompt on the target host's interactive SSH shell. no
Note: Multiple options for Privilege Escalation are supported, including su, su+sudo and sudo. If sudo is selected, additional fields for sudo user, CyberArk Account Details Name and Location of sudo (directory) are provided and can be completed to support authentication and privilege escalation through CyberArk. See the Tenable Security Center User Guide for additional information about the supported privilege escalation types and their accompanying fields.
-
Configure each field for SSH authentication. See Tenable Security Center User Guide to get detailed descriptions for each option.
- Click Submit.
- Next, follow the steps for Add the Credential to the Scan.