Integration Tips

Fudo Enterprise is required

There are two Fudo PAM products, Fudo ONE (free version) and Fudo Enterprise (paid version). Currently, Tenable for Fudo is only compatible with Fudo Enterprise, because the secret checkout protocol is required.

Target username is required

You have to specify the user to log into the target system. This is due to how Fudo’s Secret Checkout API currently functions. The same is true for privilege escalation, if an escalation user is needed (i.e., user to escalate to) it must be entered.

API Authentication

The integration authenticates to the API using the specified API username and password. These should be the username and password of a user that has access to the Fudo PAM portal as well as to the desired target account(s). The integration first authenticates to the Fudo Access Gateway using the API username and password to retrieve a session ID, which is used to authenticate subsequent requests.

Account Name, Account ID, or Address

To check out the credential, you may enter the name of the account (Fudo Account Name) or an exact account ID (Fudo Account ID). When using the account name, the integration must make an additional HTTP request to list accounts, then it checks out the first one matching the name.

When checking out by Account Name, you may also optionally enter the associated address of the account (Fudo Account Address), or select Use Target Address to further limit credential queries to the target IP address or hostname. It is important to note that Use Target Address overrides anything specified as the Fudo Account Address.

It is also possible to query only by account address. For example, if you were to omit account name but specify an Account Address, the integration then lists accounts and uses the first one matching the specified address. This is also true for Use Target Address. It is important to note that when Use Target Address is given, the value of Fudo Account Address is ignored.

If you do not specify anything (i.e., Fudo Account Name, Fudo Account ID, or Fudo Account Address, and Use Target Address is unchecked), the Tenable for Fudo integration does not return any credentials and logs an error in the debug logs.

Force and Check in Options: Not recommended

Fudo offers an option to check in passwords when the integration is done using them. Fudo also offers an ability to "force" checkout if another user has the password checked out. These options are available when configuring a credential using the integration, but they are not recommended.

Instead of using check in, Tenable recommends configuring a session timeout for secrets, so that secrets are automatically checked in after the scan is complete. Tenable recommends setting a checkout duration that matches or exceeds the estimated duration of the scan.

Privilege Escalation (SSH only)

Selecting a privilege escalation method that requires a password (for example, sudo) gives the same options for selecting an escalation account. In many cases, the escalation password is the same as the login password, and in these cases the escalation parameters may be left blank to default to that password.