Configure Tenable Nessus Manager with HashiCorp Vault (SNMPv3)

Required User Role: Standard, Scan Manager, or Administrator

In Tenable Nessus Manager, you can integrate with HashiCorp Vault using the Simple Network Monitoring Protocol version 3 (SNMPv3) credential.

Before you begin:

  • Ensure you have both a Tenable Nessus Manager and HashiCorp Vault account.

To integrate Tenable Nessus Manager with HashiCorp Vault using SNMPv3 credentials:

  1. Log in to your Tenable user interface.

  2. In the left navigation plane, click Scans.

    The Scans page appears.

  3. In the upper-right corner of the page, click the Create a Scan button.

    The Select a Scan Template page appears.

  4. Select a scan template.

    The scan configuration page appears.

  5. In the Name box, type a name for the scan.

  6. In the Targets box, type an IP address, hostname, or range of IP addresses.
  7. (Optional) Add a description, folder location, scanner location, and specify target groups.

  8. Click the Credentials tab.

    The Credentials pane appears.

  9. In the Select a Credential menu, select the Host drop-down.

  10. Select SNMPv3.

    The Settings pane appears.

  11. In the SNMPv3 Authentication Method drop-down box, click HashiCorp Vault.

    The HashiCorp Vault options appear.

  12. Configure each option for the SNMPv3 authentication.

    Option Description Required

    Username

    (Required) The username for the SNMPv3 account that Tenable Nessus uses to perform checks on the target system.

    yes

    Port

    The TCP port that SNMPv3 listens on for communications from Tenable Nessus. By default, Tenable uses 161.

    yes

    SNMPv3 Authentication Method

    The authentication method to SNMPv3. Available options:

    • Password Entry
    • Hashicorp Vault

    Note: Select Hashicorp Vault from the options.

    yes
    Security Level

    The security level for SNMP (set to Authentication and privacy by default):

    • No authentication and no privacy

    • Authentication without privacy

    • Authentication and privacy

    yes
    Authentication Algorithm The algorithm the remove service supports the following: SHA1, SHA224, SHA-256, SHA-384, SHA-512, or MD5.

    yes
    Privacy Algorithm The encryption algorithm to use for SNMP traffic: AES, AES-192, AES-192C, AES-256, AES-256C, or DES.

    yes

    Hashicorp Vault Host

    The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

    yes

    Hashicorp Vault Port

    The port on which Hashicorp Vault communicates. By default, Tenable uses 443.

    yes

    Authentication Type

    Specifies the authentication type for connecting to the instance: App Role or Certificates.

    If you select Certificates, additional options for Hashicorp Client Certificate( Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

    yes

    Role ID

    The GUID provided by Hashicorp Vault when you configured your App Role.

    yes

    Role Secret ID

    The GUID generated by Hashicorp Vault when you configured your App Role.

    yes
    Authentication URL

    The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

    /v1/auth/approle/login

    		 yes
    Namespace

    The name of a specified team in a multi-team environment.

    		 no
    Vault Type

    The Hashicorp Vault version: KV1, KV2. For additional information about Hashicorp Vault versions, refer to the HashiCorp Vault documentation.

    		 yes
    KV1 Engine URL (KV1) The URL Hashicorp Vault uses to access the KV1 engine. Example: /v1/path_to_secret. No trailing / yes, if you select the KV1 Vault Type

    KV2 Engine URL

    (KV2) The URL Hashicorp Vault uses to access the KV2 engine.

    Example: /v1/path_to_secret. No trailing /

    yes, if you select the KV2 Vault Type

    Username Source

    (KV1 and KV2) A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault.

    yes
    Username Key (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. yes
    Authentication Password Key (KV1 and KV2) The key in Hashicorp Vault that the SNMPv3 authentication password is stored under. yes
    Privacy Password Key (KV1 and KV2) The key in Hashicorp Vault that the SNMPv3 privacy password is stored under. yes
    Secret Name (KV1, KV2, and AD) The key secret you want to retrieve values for. yes
    Use SSL If enabled, Tenable Nessus Manager uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option. no
    Verify SSL Certificate If enabled, validates the SSL certificate. Configure SSL in Hashicorp Vault before enabling this option. no

  13. Do one of the following:

    • If you want to save without launching the scan, click Save.

    • If you want to save and launch the scan immediately, click Save & Launch.

      Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.

What to do next:

Verify the integration is working:

  1. On the My Scans page, click the Launch button to initiate an on-demand scan.

  2. Once the scan completes, select the completed scan and look for the following message:

    For SNMPv3 : Plugin ID 141118. This result validates if It was possible to log into the target SNMPv3 host via the provided credentials from Hashicorp.