Configure Tenable Vulnerability Management with HashiCorp Vault (Windows and SSH)
Required User Role: Standard, Scan Manager, or Administrator
In Tenable Vulnerability Management, you can integrate with HashiCorp Vault using Windows or SSH credentials. Complete the following steps to configure Tenable Vulnerability Management with HashiCorp Vault using these credentials.
Before you begin:
- Ensure you have both a Tenable Vulnerability Management and HashiCorp Vault account.
To integrate Tenable Vulnerability Management with HashiCorp Vault using Windows or SSH credentials:
- Log in to your Tenable user interface.
-
In the upper-left corner, click the button.
The left navigation plane appears.
-
In the left navigation plane, click Scans.
The Scans page appears.
-
In the upper-right corner of the page, click the Create a Scan button.
The Select a Scan Template page appears.
-
Select a scan template.
The scan configuration page appears.
-
In the Name box, type a name for the scan.
- In the Targets box, type an IP address, hostname, or range of IP addresses.
- (Optional) Add a description, folder location, scanner location, and specify target groups.
-
Click the Credentials tab.
The Credentials pane appears.
- In the Select a Credential menu, select the Host drop-down.
-
Select SSH.
The Settings pane appears.
-
In the Auth Type drop-down box, click HashiCorp Vault.
The HashiCorp Vault options appear.
-
Configure each option for the SSH or Windows authentication.
Windows and SSH Credentials Option Description Required
Hashicorp Vault host The Hashicorp Vault IP address or DNS address.
Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.
yes Hashicorp Vault port The port on which Hashicorp Vault listens. yes Authentication Type Specifies the authentication type for connecting to the instance: App Role or Certificates.
If you select Certificates, additional options for Hashicorp Client Certificate(Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.
yes Role ID The GUID provided by Hashicorp Vault when you configured your App Role. yes Role Secret ID The GUID generated by Hashicorp Vault when you configured your App Role.
yes Authentication URL The path/subdirectory to the authentication endpoint. This is not the full URL. For example:
/v1/auth/approle/login
yes
Namespace The name of a specified team in a multi-team environment. no Vault Type The HashiCorp Vault version: KV1, KV2, AD, or LDAP. For additional information about HashiCorp Vault versions, see the HashiCorp Vault documentation.
yes KV1 Engine URL (KV1) The URL HashiCorp Vault uses to access the KV1 engine.
Example: /v1/path_to_secret. No trailing /
yes, if you select the KV1 Vault Type KV2 Engine URL (KV2) The URL HashiCorp Vault uses to access the KV2 engine.
Example: /v1/kv_mount_name. No trailing /
Note: You cannot use the path to the secret for the KV2 Engine URL because an additional string/segment, data, gets injected into the read request made to Vault for KV v2 stores. Only enter the name of the KV mount, not the path to the secret, in the Engine URL field.
Note: You do not need to include the data segment yourself. If you include it in the secret name/path, the read call to Vault includes /data/data, which is invalid.
yes, if you select the KV2 Vault Type AD Engine URL (AD) The URL HashiCorp Vault uses to access the Active Directory engine.
Example: /v1/path_to_secret. No trailing /
yes, if you select the AD Vault Type LDAP Engine URL (LDAP) The URL HashiCorp Vault uses to access the LDAP engine.
Example: /v1/path_to_secret. No trailing /
yes, if you select the LDAP Vault Type Username Source (KV1 and KV2) A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault. yes Username Key (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. yes Domain Key (KV1 and KV2) The name in Hashicorp Vault that domains are stored under. no Password Key (KV1 and KV2) The key in Hashicorp Vault that passwords are stored under. yes Secret Name (KV1, KV2, and AD) The key secret you want to retrieve values for. yes Kerberos Target Authentication
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.
no
Key Distribution Center (KDC)
(Required if Kerberos Target Authentication is enabled.) This host supplies the session tickets for the user.
yes
KDC Port
The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.
no
KDC Transport
The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.
no
Domain (Windows)
(Required if Kerberos Target Authentication is enabled.) The domain to which Kerberos Target Authentication belongs, if applicable.
yes
Realm (SSH)
(Required if Kerberos Target Authentication is enabled.) The Realm is the authentication domain, usually noted as the domain name of the target (e.g., example.com).
yes
Use SSL If enabled, Tenable Vulnerability Management uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option. no Verify SSL Certificate If enabled, Tenable Vulnerability Management uses SSL for secure communications. Hashicorp Vault must be using SSL to enable this option. no Enable for HashiCorp Vault Enables/disables IBM DataPower Gateway use with HashiCorp Vault. yes Escalate Privileges with (SSH) Use a privilege escalation method such as su or sudo to use extra privileges when scanning.
Note: Tenable supports multiple options for privilege escalation, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through HashiCorp Vault. The Escalation Account Name field is then required to complete your privilege escalation.
Note: For more information about supported privilege escalation types and their accompanying fields, see the Nessus User Guide and the Tenable Vulnerability Management User Guide.
Required if you wish to escalate privileges. Escalation account credential ID or identifier (SSH) If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. no -
Do one of the following:
-
If you want to save without launching the scan, click Save.
-
If you want to save and launch the scan immediately, click Save & Launch.
Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.
-
What to do next:
Verify the integration is working.
-
On the My Scans page, click the Launch button to initiate an on-demand scan.
-
Once the scan completes, click the completed scan.
The scan details appear.
Look for a message similar to the following:
- For Windows: Microsoft Windows SMB Log In Possible: 10394. This result validates that authentication was successful.
- For SSH: Plugin ID 97993 and the corresponding message - It was possible to log into the remote host via SSH using 'password' authentication. This result validates that authentication was successful.