Privilege Escalation with CyberArk (Legacy) Credentials

Caution: Support for SOAP requests are no longer be supported by CyberArk as of December 31, 2024. If you are using the CyberArk Legacy Integration which utilizes SOAP for API requests, Tenable recommends using our non-Legacy CyberArk Integration which supports REST API requests.

Tenable Vulnerability Management supports the use of privilege escalation, such as su and sudo, when using SSH through the CyberArk authentication method.

To configure SSH integration:

  1. Log in to Tenable Vulnerability Management.
  2. Click Scans.
  3. Click + New Scan.

  4. Select a Scan Template.

    The scan configuration page appears.

  5. In the Name box, type a name for the scan.

  6. In the Targets box, type an IP address, hostname, or range of IP addresses.
  7. (Optional) Add a description, folder location, scanner location, and specify target groups.
  8. Click the Credentials tab.

    The Credentials options appear.

  9. In the Select a Credential menu, select the Host drop-down.
  10. Select SSH as the Type and CyberArk as the Authentication Method.

  11. Select an option for the CyberArk Elevate Privileges With field.

    Note: Multiple options for privilege escalation are supported, including su, su+sudo and sudo. For example, if sudo is selected, additional fields for sudo user, CyberArk Account Details Name and Location of sudo (directory) are provided and can be completed to support authentication and privilege escalation through CyberArk Password Vault.

    Note: Additional information about all of the supported privilege escalation types and their accompanying fields can be found in the Tenable Vulnerability Management User Guide.

  12. Complete the privilege escalation options and click Save.
Note: When asked for a CyberArk Account Details Name, perform the following steps to obtain the correct value:
1. Log in to CyberArk Password Vault.
2. Choose the secret (password) you wish to use.
3. Look at the name parameter (such as in the image below) in the Account Details page; this is the value to supply in the CyberArk Account Details Name field.