Configure Tenable Vulnerability Management with HashiCorp Vault (Database)

Required User Role: Standard, Scan Manager, or Administrator

In Tenable Vulnerability Management, you can integrate with HashiCorp Vault using database credentials. Complete the following steps to configure Tenable Vulnerability Management with HashiCorp Vault using database.

Enable Database Plugins in the scanner to display them in the output.

Before you begin:

  • Ensure you have both a Tenable Vulnerability Management and HashiCorp Vault account.

To integrate Tenable Vulnerability Management with HashiCorp Vault using database credentials:

  1. Log in to your Tenable user interface.

  2. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  3. In the left navigation plane, click Scans.

    The Scans page appears.

  4. In the upper-right corner of the page, click the Create a Scan button.

    The Select a Scan Template page appears.

  5. Select a scan template.

    The scan configuration page appears.

  6. In the Name box, type a name for the scan.

  7. In the Targets box, type an IP address, hostname, or range of IP addresses.
  8. (Optional) Add a description, folder location, scanner location, and specify target groups.

  9. Click the Credentials tab.

    The Settings pane appears.

  10. Click the Database option.

    The Database options appear.

  11. In the Database Type drop-down box, select Cassandra, Oracle, DB2, MongoDB, PostgreSQL, MySQL, SQL Server, or Sybase ASE.

  12. In the Auth Type drop-down box, click HashiCorp Vault.

    The HashiCorp Vault options appear.

  13. Configure each option for the Database authentication.

    Option Description

    Required
    Hashicorp Vault host

    The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

    		 yes
    Hashicorp Vault port The port on which Hashicorp Vault listens. yes
    Authentication Type

    Specifies the authentication type for connecting to the instance: App Role or Certificates.

    If you select Certificates, additional options for Hashicorp Client Certificate and Hashicorp Client Certificate Private Key appear. Select the appropriate files for the client certificate and private key.

    		 yes
    Role ID The GUID provided by Hashicorp Vault when you configured your App Role. yes
    Role Secret ID

    The GUID generated by Hashicorp Vault when you configured your App Role.

    		 yes
    Authentication URL

    The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

    /v1/auth/approle/login

    yes
    Namespace The name of a specified team in a multi-team environment. no
    Vault Type

    The HashiCorp Vault version: KV1, KV2, AD or LDAP. For additional information about HashiCorp Vault versions, see the HashiCorp Vault documentation.

    		 yes
    KV1 Engine URL

    (KV1) The URL HashiCorp Vault uses to access the KV1 engine.

    Example: /v1/path_to_secret. No trailing /

    		 yes, if you select the KV1 Vault Type
    KV2 Engine URL

    (KV2) The URL HashiCorp Vault uses to access the KV2 engine.

    Example: /v1/path_to_secret. No trailing /

    		 yes, if you select the KV2 Vault Type
    AD Engine URL

    (AD) The URL HashiCorp Vault uses to access the active directory engine.

    Example: /v1/path_to_secret. No trailing /

    		 yes, if you select the AD Vault Type
    LDAP Engine URL

    (LDAP) The URL HashiCorp Vault uses to access the LDAP engine.

    Example: /v1/path_to_secret. No trailing /

    		 yes, if you select the LDAP Vault Type
    Username Source (KV1 and KV2) A drop-down box to specify whether the username is input manually or pulled from Hashicorp Vault. yes
    Username Key (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. yes
    Password Key (KV1 and KV2) The key in Hashicorp Vault that passwords are stored under. yes
    Secret Name (KV1, KV2, and AD) The key secret you want to retrieve values for. yes
    Use SSL If enabled, Tenable Vulnerability Management uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option. no
    Verify SSL Certificate If enabled, Tenable Vulnerability Management validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no
    Database Port The port on which Tenable Vulnerability Management communicates with the database. yes
    Auth Type The authentication method for the database credentials.

    Oracle values include:

    • SYSDBA
    • SYSOPER
    • NORMAL
    		 yes
    Service Type (Oracle databases only) Valid values include: SID and SERVICE_NAME. yes
    Service (Oracle database only) A specific field for the configuration for the database. yes

  14. Do one of the following:

    • If you want to save without launching the scan, click Save.

    • If you want to save and launch the scan immediately, click Save & Launch.

      Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.