Configure Nessus Manager with HashiCorp Vault (Windows and SSH)

Required User Role: Standard, Scan Manager, or Administrator

In Nessus Manager, you can integrate with HashiCorp Vault using Windows or SSH credentials. Complete the following steps to configure Nessus Manager with HashiCorp Vault using these credentials.

Before you begin:

  • Ensure you have both a Nessus Manager and HashiCorp Vault account.

To integrate Nessus Managerwith HashiCorp Vault using Windows or SSH credentials:

  1. Log in to Nessus Manager.

  2. Click Scans.

    The My Scans page appears.

  3. Click + New Scan.

    The Scan Templates page appears.

  4. Select a scan template.

    The selected scan template Settings page appears.

  5. In the Name box, type a name for the scan.

  6. In the Targets box, type an IP address, hostname, or range of IP addresses.
  7. (Optional) Add a Description, Folder location, Scanner location, and specify Target groups.

  8. Click the Credentials tab.

    The Credentials options appear. By default, the Categories drop-down box displays Host.

  9. In the Categories drop-down, click Host.

  10. In the Categories list, click your preferred Host configuration: Windows or SSH.

    The selected configuration options appear.

  11. In the selected configuration window, click the Authentication method drop-down box.

    The Authentication method options appear.

  12. Select HashiCorp Vault.

    The HashiCorp Vault options appear.

  13. Configure the credentials.

    Windows and SSH Credentials
    Option Description

    Required
    Hashicorp Vault host

    The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

    		 yes
    Hashicorp Vault port The port on which Hashicorp Vault listens. yes
    Authentication Type

    Specifies the authentication type for connecting to the instance: App Role or Certificates.

    If you select Certificates, additional options for Hashicorp Client Certificate( Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

    		 yes
    Role ID The GUID provided by Hashicorp Vault when you configured your App Role. yes
    Role Secret ID

    The GUID generated by Hashicorp Vault when you configured your App Role.

    		 yes
    Authentication URL

    The URL Nessus Manager uses to access Hashicorp Vault.

    yes
    Namespace The name of a specified team in a multi-team environment. no
    Vault Type

    The HashiCorp Vault version: KV1, KV2, or AD. For additional information about HashiCorp Vault versions, see the HashiCorp Vault documentation.

    		 yes
    KV1 Engine URL (KV1) The URL HashiCorp Vault uses to access the KV1 engine. yes, if selected for Vault Type
    KV2 Engine URL (KV2) The URL HashiCorp Vault uses to access the KV2 engine. yes, if selected for Vault Type
    AD Engine URL (AD) The URL HashiCorp Vault uses to access the active directory engine. yes, if selected for Vault Type
    Username Source (KV1 and KV2) A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault. yes
    Username Key (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. yes
    Password Key (KV1 and KV2) The key in Hashicorp Vault that passwords are stored under. yes
    Secret Name (KV1, KV2, and AD) The key secret you want to retrieve values for. yes
    Use SSL If enabled, Nessus Manager uses SSL through IIS for secure communications. You must configure SSL through IIS in Hashicorp Vault before enabling this option. no
    Verify SSL Certificate If enabled, Nessus Manager validates the SSL certificate. You must configure SSL through IIS in Hashicorp Vault before enabling this option. no
    Enable for HashiCorp Vault Enables/disables IBM DataPower Gateway use with HashiCorp Vault. yes

  14. Click Save.

    Nessus Managersaves the credential.

    The My Scans page appears.

What to do next:

Verify the integration is working.

To verify the integration is working:

  1. On the My Scans page, click the Launch button to initiate an on-demand scan.

  2. Once the scan completes, select the completed scan and look for the following message:

    • For Windows: Microsoft Windows SMB Log In Possible: 10394. This result validates that authentication was successful.
    • For SSH: Plugin ID 97993 It was possible to log into the remote host via SSH using 'password' authentication.