Integration Tips

Fudo Enterprise is required

There are two Fudo PAM products, Fudo ONE (free version) and Fudo Enterprise (paid version). Currently, Tenable for Fudo is only compatible with Fudo Enterprise, because the secret checkout protocol is required.

Target username is required

For Fudo versions 5.5 and older, you must specify a user to log into the target system. This is due to how Fudo’s Secret Checkout API currently functions. The same is true for privilege escalation, if an escalation user is needed (i.e., user to escalate to) it must be entered.

As of Fudo version 5.6, you are not required to specify a username to log into the target system. This is because Fudo’s v2 Secret Checkout API responses include the username. For privilege escalation, if an escalation user is needed (i.e., user to escalate to) it still must be entered.

API Authentication

The integration supports two API versions, v1 and v2. API version v1 is present in Fudo Enterprise versions 5.5 and older, while v2 is present in Fudo Enterprise versions 5.6 and newer.

Fudo API v1

Fudo’s API v1 authentication uses a specified API URL in combination with a username and password. These should be the username and password of a user that has access to the Fudo PAM portal as well as to the desired target account(s). The integration first authenticates to the Fudo Access Gateway using the API username and password to retrieve a session ID, which is used to authenticate subsequent requests.

Fudo API v2

Fudo’s API v2 authentication uses a specified API URL in combination with an API key. The API key, generated within the Fudo user interface, is employed for API authentication and to gain access to the requisite accounts and servers.

Force and Check in Options: Not recommended

Fudo offers an option to check in passwords when the integration is done using them. Fudo also offers an ability to "force" checkout if another user has the password checked out. These options are available when configuring a credential using the integration, but they are not recommended.

Instead of using check in, Tenable recommends configuring a session timeout for secrets, so that secrets are automatically checked in after the scan is complete. Tenable recommends setting a checkout duration that matches or exceeds the estimated duration of the scan.

Privilege Escalation (SSH only)

Selecting a privilege escalation method that requires a password (for example, sudo) gives the same options for selecting an escalation account. In many cases, the escalation password is the same as the login password, and in these cases the escalation parameters may be left blank to default to that password.