SSH Privilege Escalation Integration
To configure SSH integration:
- Log in to Tenable Security Center.
-
In the top navigation bar, click Scanning.
A menu appears.
-
Click Credentials.
The Credentials page appears.
-
In the SSH section, click CyberArk Vault.
The Add Credential page appears.
-
In the CyberArk Vault Credentials section, click Privilege Escalation.
The Privilege Escalation options appear.
Option Description Required CyberArk Host
The IP address or FQDN name for the CyberArk AIM Web Service.
yes
Port
The port on which the CyberArk API communicates. By default, Tenable uses 443.
yes
AppID
The Application ID associated with the CyberArk API connection.
yes
Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.
Note: Customers self-hosting CyberArk CCP on a Windows Server 2022 and above should follow the guidance found in Tenable’s Community post about CyberArk Client Certification Authentication Issue.
no
Client Certificate Private Key The file that contains the PEM private key for the client certificate. yes, if private key is applied
Client Certificate Private Key Passphrase The passphrase for the private key, if required. yes, if private key is applied
Kerberos Target Authentication
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.
no
Key Distribution Center (KDC)
(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.
yes
KDC Port
KDC Transport
Realm
(Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com). By default, Security Center for CyberArkTenable Security Center uses 443.
yes
Get credential by The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address.
Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.
yes Username (If Get credential by is Username) The username of the CyberArk user to request a password from.
no Safe The CyberArk safe the credential should be retrieved from.
no Address The option should only be used if the Address value is unique to a single CyberArk account credential. no Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no Use SSL
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.
no
Verify SSL Certificate
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.
no
CyberArk credential field mapping to the CyberArk Accounts detail view in the CyberArk console:
Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address.
Note: Multiple options for Privilege Escalation are supported, including su, su+sudo and sudo. If sudo is selected, additional fields for sudo user, CyberArk Account Details Name and Location of sudo (directory) are provided and can be completed to support authentication and privilege escalation through CyberArk. See the Tenable Security Center User Guide for additional information about the supported privilege escalation types and their accompanying fields.
-
Configure each field for SSH authentication. See Tenable Security Center User Guide to get detailed descriptions for each option.
- Click Submit.
- Next, follow the steps for Add the Credential to the Scan.
