Configure Tenable Nessus with HashiCorp (Windows, SSH, Database and SNMPv3)

Required User Role: Standard, Scan Manager, or Administrator

In Tenable Nessus, you can integrate with HashiCorp Vault using Windows, SSH, Database, or SNMPv3 credentials.

Complete the following steps to configure Tenable Nessus with HashiCorp Vault using Windows, SSH, Database or SNMPv3 credentials.

  1. Log in to your Tenable Nessus user interface.

  2. In the left navigation pane, click Scans.

    The Scans page appears.

  3. In the upper-right corner of the page, click the Create a Scan button.

    The Select a Scan Template page appears.

  4. Select a scan template.

    The scan configuration page appears.

  5. In the Name box, type a name for the scan.

  6. In the Targets box, type an IP address, hostname, or range of IP addresses.

  7. (Optional) Add a description, folder location, scanner location, and specify target groups.

  8. Click the Credentials tab.

    The Credentials pane appears.

  9. In the Select a Credential menu, select Windows, SSH, Database, or SNMPv3 from the options.

    The Settings pane for the selected credential appears.

  10. In the Auth Type drop-down box, click HashiCorp Vault.

    The HashiCorp Vault options appear.

  11. Configure each option for either Windows, SSH, Database, or SNMPv3 authentication.

Option Description Required
HashiCorp Vault Host The HashiCorp Vault IP address or DNS address.

Note: If your HashiCorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

Yes
HashiCorp Vault Port The port on which HashiCorp Vault listens. Yes
Port (SNMPv3-only) The TCP port that SNMPv3 listens on for communications from Tenable Nessus. By default, Tenable uses 161. Yes
Security Level (SNMPv3-only)

The security level for SNMP (set to Authentication and privacy by default):

  • No authentication and no privacy

  • Authentication without privacy

  • Authentication and privacy.

Yes
Authentication Algorithm (SNMPv3-only) The algorithms the service supports: SHA1, SHA224, SHA-256, SHA-384, SHA-512, or MD5. Yes
Privacy Algorithm (SNMPv3-only) The encryption algorithm to use for SNMP traffic: AES, AES-192, AES-192C, AES-256, AES-256C, or DES. Yes
Authentication Type Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for HashiCorp Client Certificate (Required) and HashiCorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key. No
HashiCorp Client Certificate The PEM-format client certificate file used for certificate-based authentication to HashiCorp Vault. Yes (if using Certificate Authentication)
HashiCorp Client Certificate Private Key The PEM-format private key file corresponding to the Client Certificate. Yes (if using Certificate Authentication)
HashiCorp Client Certificate Private Key Passphrase The passphrase protecting the private key, if the Certificate Private Key is encrypted. No
Role ID The GUID provided by HashiCorp Vault when you configured your App Role. Yes (if using App Role)
Role Secret ID The GUID generated by HashiCorp Vault when you configured your App Role. Yes (if using App Role)
Authentication URL The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login Yes
Namespace The name of a specified team in a multi-team environment. No
Vault Type The HashiCorp Vault version: KV1, KV2, AD, LDAP, and SSH Signed Certificates.

Note:SSH Signed Certificates is an SSH-only option.

Yes
KV1 Engine URL The URL HashiCorp Vault uses to access the KV1 engine. Yes, if you select the KV1 Vault Type
KV2 Engine URL The URL HashiCorp Vault uses to access the KV2 engine.

Note: Enter only the KV mount path, not the full path to the secret. The KV mount path and secret name combine to form the request URL. For KV v2, the integration automatically inserts "/data/" into the URL. You do not need to include it in the mount path.

Yes, if you select the KV2 Vault Type
AD Engine URL The URL HashiCorp Vault uses to access the Active Directory engine. Yes, if you select the AD Vault Type
LDAP Engine URL The URL HashiCorp Vault uses to access the LDAP engine. Yes, if you select the LDAP Vault Type
SSH Secrets Engine URL (SSH-only) (SSH Signed Certificates-only) The URL HashiCorp Vault uses to access the SSH secrets engine. Yes, if you select the SSH Signed Certificates Vault Type
Public Key (SSH-only) (SSH Signed Certificates-only) The file that contains the public key which gets signed by the SSH Secrets engine. No
Private Key (SSH-only) (SSH Signed Certificates-only) The file that contains the PEM private key used for the signed certificate. No
Private Key Passphrase (SSH-only) (SSH Signed Certificates-only) The passphrase for the private key used to authenticate to the target. No
SSH Signed Certificates Parameters (SSH-only) (SSH Signed Certificates-only) Optional JSON-formatted parameters file used for generating or signing SSH client keys. No
Username Source A drop-down box to specify if the username is input manually or pulled from HashiCorp Vault. Yes
Username The name in HashiCorp Vault that usernames are stored under. Yes, if you select Manual Entry for Username Source
Username Key The name in HashiCorp Vault that usernames are stored under. Yes, if you select HashiCorp Vault for Username Source
Domain Key (Windows-only) The name in HashiCorp Vault that domains are stored under. No
Password Key The key in HashiCorp Vault that passwords are stored under. Yes
Authentication Password Key (SNMPv3-only) (KV1 and KV2) The key in HashiCorp Vault that the SNMPv3 authentication password is stored under. Yes
Privacy Password Key (SNMPv3-only) (KV1 and KV2) The key in HashiCorp Vault that the SNMPv3 privacy password is stored under. Yes
Passphrase Key The key in HashiCorp Vault that passphrases are stored under. Yes
Secret Name The key secret you want to retrieve values for. Yes
Kerberos Target Authentication (Windows and SSH-only) If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. No
Key Distribution Center (KDC) (Windows and SSH-only) This host supplies the session tickets for the user. Yes, if Kerberos Target Authentication is enabled
KDC Port (Windows and SSH-only) The port on which the Kerberos authentication API communicates. By default, Tenable uses 88. No
KDC Transport (Windows and SSH-only) The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation. No
Domain (Windows-only) The domain to which Kerberos Target Authentication belongs, if applicable. Yes, if Kerberos Target Authentication is enabled
Realm (SSH-only) (Required if Kerberos Target Authentication is enabled.) The Realm is the authentication domain, usually noted as the domain name of the target (e.g., example.com). Yes, if Kerberos Target Authentication is enabled
Use SSL If enabled, Tenable Nessus uses SSL for secure communications. Configure SSL in HashiCorp Vault before enabling this option. No
Verify SSL Certificate If enabled, Tenable Nessus verifies the SSL certificate. HashiCorp Vault must be using SSL to enable this option. No
Database Port (Database-only) The port on which Tenable Nessus communicates with the database. Yes
Auth Type (Database-only)

The authentication method for the database credentials. Oracle values include:

  • SYSDBA

  • SYSOPER

  • NORMAL

Yes
Service Type (Database-only) (Oracle databases only) Valid values include: SID and SERVICE_NAME. Yes
Service (Database-only) (Oracle database only) A specific field for the configuration for the database. Yes
Escalate Privileges with (SSH-only) Use a privilege escalation method such as su or sudo to use extra privileges when scanning.

Note: Tenable supports multiple options for privilege escalation, including su, su+sudo, and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through HashiCorp Vault. The Escalation Account Name field is then required to complete your privilege escalation. For more information about supported privilege escalation types and their accompanying fields, see the Tenable Nessus user guide.

Required if you wish to escalate privileges
Escalation account credential ID or identifier (SSH-only) If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. No
Targets to Prioritize Credentials Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Note:Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

No
  1. Do one of the following:

    • If you want to save without launching the scan, click Save.

    • If you want to save and launch the scan immediately, click Save & Launch.

    Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.