HashiCorp Vault Additional Information

This section helps you interpret the results of your scans and provides additional guidance for working with the HashiCorp Vault integration.

Helpful Tips

The overall process of the HashiCorp Vault integration follows the same pattern as other PAM integrations:

  • Tenable Vulnerability Management or Tenable Security Center pass the policy and credential values down to Tenable Nessus. This includes values like the HashiCorp Vault host, port, and authentication information.

  • The Tenable Nessus scanner communicates with the HashiCorp Vault API, and the API returns the username, password, and/or SSH keys required for target authentication.

  • The scanner uses these values for target authentication.

Testing Integration Connectivity

You can use curl to verify connectivity between the scanner host and the HashiCorp Vault API before running a scan.

Test HashiCorp Vault API Login:

Copy
curl --request POST \
  --data '{"role_id": "YOUR-ROLE-ID-HERE", "secret_id": "YOUR-SECRET-ID-HERE"}' \
  https://your-vault-server:443/v1/auth/approle/login

A response of 200 confirms the HashiCorp Vault API is reachable and the role and secret IDs are valid. A response of 400 confirms reachability but indicates invalid credentials.

Test secret retrieval (using the token from the login response above):

Copy
curl --request GET \
  --header "X-Vault-Token: hvs.YourVaultTokenHere" \
  --header "Accept: application/json" \
  https://your-vault-server:443/v1/secrets_engine/data/secret_name

A successful response returns a 200 response code and the secret value. A 400 response indicates the authentication method does not have an Access Role granting read access to that path.

Test SSH secrets engine (Public key signing):

Copy
curl --request POST \
  --header "X-Vault-Token: hvs.YourVaultTokenHere" \
  --header "Content-Type: application/json" \
  --data '{
  "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC..."
  }' \
  https://your-vault-server:433/v1/ssh-client-signer/sign/your-vault-role

Test SSH Secrets engine (Generating Public and private key):

Copy
curl --request POST \
  --header "X-Vault-Token: hvs.YourVaultTokenHere" \
  --header "Content-Type: application/json" \
  --data @payload.json \
  https://your-vault-server:443/v1/ssh-client-issuer/issue/your-vault-role