Configure Tenable Security Center with HashiCorp (Windows, SSH, Database and SNMPv3)
Required User Role: Standard, Scan Manager, or Administrator
In Tenable Security Center, you can integrate with HashiCorp Vault using Windows or SSH credentials.
Complete the following steps to configure Tenable Security Center with HashiCorp Vault using Windows, SSH, Database or SNMPv3 credentials.
-
Log in to your Tenable Security Center user interface.
-
Click Scanning > Credentials (administrator users) or Scans > Credentials (organizational users).
The Credentials page appears.
-
At the top of the page, click +Add.
The Add Credential page appears.
-
In the Windows, SSH, Database, or SNMPv3 section, click HashiCorp Vault.
The HashiCorp Vault Add Credential page appears.
-
In the Name box, type a name for the credential.
-
(Optional) Add a description.
-
(Optional) Add a Tag to the credential.
For additional information about tags, see Tags in the Tenable Security Center documentation.
-
Configure each option below for either Windows, SSH, Database, or SNMPv3 authentication.
| Option | Description | Required |
|---|---|---|
| HashiCorp Vault Host | The HashiCorp Vault IP address or DNS address. Note: If your HashiCorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
Yes |
| HashiCorp Vault Port | The port on which HashiCorp Vault listens. | Yes |
| Port (SNMPv3-only) | The TCP port that SNMPv3 listens on for communications from Tenable Nessus. By default, Tenable uses 161. | Yes |
| Security Level (SNMPv3-only) |
The security level for SNMP (set to Authentication and privacy by default):
|
Yes |
| Authentication Algorithm (SNMPv3-only) | The algorithms the service supports: SHA1, SHA224, SHA-256, SHA-384, SHA-512, or MD5. | Yes |
| Privacy Algorithm (SNMPv3-only) | The encryption algorithm to use for SNMP traffic: AES, AES-192, AES-192C, AES-256, AES-256C, or DES. | Yes |
| Authentication Type | Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for HashiCorp Client Certificate (Required) and HashiCorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key. | No |
| HashiCorp Client Certificate | The PEM-format client certificate file used for certificate-based authentication to HashiCorp Vault. | Yes (if using Certificate Authentication) |
| HashiCorp Client Certificate Private Key | The PEM-format private key file corresponding to the Client Certificate. | Yes (if using Certificate Authentication) |
| HashiCorp Client Certificate Private Key Passphrase | The passphrase protecting the private key, if the Certificate Private Key is encrypted. | No |
| Role ID | The GUID provided by HashiCorp Vault when you configured your App Role. | Yes (if using App Role) |
| Role Secret ID | The GUID generated by HashiCorp Vault when you configured your App Role. | Yes (if using App Role) |
| Authentication URL | The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login | Yes |
| Namespace | The name of a specified team in a multi-team environment. | No |
| Vault Type | The HashiCorp Vault version: KV1, KV2, AD, and LDAP. | Yes |
| KV1 Engine URL | The URL HashiCorp Vault uses to access the KV1 engine. | Yes, if you select the KV1 Vault Type |
| KV2 Engine URL | The URL HashiCorp Vault uses to access the KV2 engine. Note: Enter only the KV mount path, not the full path to the secret. The KV mount path and secret name combine to form the request URL. For KV v2, the integration automatically inserts "/data/" into the URL. You do not need to include it in the mount path. |
Yes, if you select the KV2 Vault Type |
| AD Engine URL | The URL HashiCorp Vault uses to access the Active Directory engine. | Yes, if you select the AD Vault Type |
| LDAP Engine URL | The URL HashiCorp Vault uses to access the LDAP engine. | Yes, if you select the LDAP Vault Type |
| Username Source | A drop-down box to specify if the username is input manually or pulled from HashiCorp Vault. | Yes |
| Username | The name in HashiCorp Vault that usernames are stored under. | Yes, if you select Manual Entry for Username Source |
| Username Key | The name in HashiCorp Vault that usernames are stored under. | Yes, if you select HashiCorp Vault for Username Source |
| Domain Key (Windows-only) | The name in HashiCorp Vault that domains are stored under. | No |
| Password Key | The key in HashiCorp Vault that passwords are stored under. | Yes |
| Authentication Password Key (SNMPv3-only) | (KV1 and KV2) The key in HashiCorp Vault that the SNMPv3 authentication password is stored under. | Yes |
| Privacy Password Key (SNMPv3-only) | (KV1 and KV2) The key in HashiCorp Vault that the SNMPv3 privacy password is stored under. | Yes |
| Passphrase Key | The key in HashiCorp Vault that passphrases are stored under. | Yes |
| Secret Name | The key secret you want to retrieve values for. | Yes |
| Kerberos Target Authentication (Windows and SSH-only) | If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. | No |
| Key Distribution Center (KDC) (Windows and SSH-only) | This host supplies the session tickets for the user. | Yes, if Kerberos Target Authentication is enabled |
| KDC Port (Windows and SSH-only) | The port on which the Kerberos authentication API communicates. By default, Tenable uses 88. | No |
| KDC Transport (Windows and SSH-only) | The KDC uses TCP by default in Linux implementations. For UDP, change this option. | No |
| Domain (Windows-only) | The domain to which Kerberos Target Authentication belongs, if applicable. | Yes, if Kerberos Target Authentication is enabled |
| Realm (SSH-only) | (Required if Kerberos Target Authentication is enabled.) The Realm is the authentication domain, usually noted as the domain name of the target (e.g., example.com). | Yes, if Kerberos Target Authentication is enabled |
| Use SSL | If enabled, Tenable Vulnerability Management uses SSL for secure communications. Configure SSL in HashiCorp Vault before enabling this option. | No |
| Verify SSL Certificate | If enabled, Tenable Vulnerability Management verifies the SSL certificate. HashiCorp Vault must be using SSL to enable this option. | No |
| Database Port (Database-only) | The port on which Tenable Vulnerability Management communicates with the database. | Yes |
| Auth Type (Database-only) |
The authentication method for the database credentials. Oracle values include:
|
Yes |
| Service Type (Database-only) | (Oracle databases only) Valid values include: SID and SERVICE_NAME. | Yes |
| Service (Database-only) | (Oracle database only) A specific field for the configuration for the database. | Yes |
| Escalate Privileges with (SSH-only) | Use a privilege escalation method such as su or sudo to use extra privileges when scanning. Note: Tenable supports multiple options for privilege escalation, including su, su+sudo, and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through HashiCorp Vault. The Escalation Account Name field is then required to complete your privilege escalation. For more information about supported privilege escalation types and their accompanying fields, see Privilege Escalation in the Tenable Security Center user guide. |
Required if you wish to escalate privileges |
| Escalation account credential ID or identifier (SSH-only) | If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. | No |
| Targets to Prioritize Credentials | Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Note:Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
No |
-
Do one of the following:
-
If you want to save without launching the scan, click Save.
-
If you want to save and launch the scan immediately, click Save & Launch.
Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.
-