Configure Tenable Vulnerability Management with HashiCorp Vault (SNMPv3)

Required User Role: Standard, Scan Manager, or Administrator

In Tenable Vulnerability Management, you can integrate with HashiCorp Vault using the Simple Network Monitoring Protocol version 3 (SNMPv3) credential.

Before you begin:

• Ensure you have both a Tenable Vulnerability Management and HashiCorp Vault account.

To integrate Tenable Vulnerability Management with HashiCorp Vault using SNMPv3 credentials:

1. Log in to your Tenable user interface.

2. In the left navigation plane, click Scans.

   The Scans page appears.

3. In the upper-right corner of the page, click the Create a Scan button.

   The Select a Scan Template page appears.

4. Select a scan template.

   The scan configuration page appears.

5. In the Name box, type a name for the scan.

6. In the Targets box, type an IP address, hostname, or range of IP addresses.
7. (Optional) Add a description, folder location, scanner location, and specify target groups.

8. Click the Credentials tab.

   The Credentials pane appears.

9. In the Select a Credential menu, select the Host drop-down.

10. Select SNMPv3.

    The Settings pane appears.

11. In the SNMPv3 Authentication Method drop-down box, click HashiCorp Vault.

    The HashiCorp Vault options appear.

12. Configure each option for the SNMPv3 authentication.

    Option	Description	Required
    Username	(Required) The username for the SNMPv3 account that Tenable Vulnerability Management uses to perform checks on the target system.	yes
    Port	The TCP port that SNMPv3 listens on for communications from Tenable Vulnerability Management. By default, Tenable uses 161.	yes
    SNMPv3 Authentication Method	The authentication method to SNMPv3. Available options: Password Entry Hashicorp Vault Note: Select Hashicorp Vault from the options.	yes
    Security Level	The security level for SNMP (set to Authentication and privacy by default): No authentication and no privacy Authentication without privacy Authentication and privacy	yes
    Authentication Algorithm	The algorithm the remove service supports the following: SHA1, SHA224, SHA-256, SHA-384, SHA-512, or MD5.	yes
    Privacy Algorithm	The encryption algorithm to use for SNMP traffic: AES, AES-192, AES-192C, AES-256, AES-256C, or DES.	yes
    Hashicorp Vault Host	The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.	yes
    Hashicorp Vault Port	The port on which Hashicorp Vault communicates. By default, Tenable uses 443.	yes
    Authentication Type	Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for Hashicorp Client Certificate (Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.	yes
    Role ID	The GUID provided by Hashicorp Vault when you configured your App Role.	yes
    Role Secret ID	The GUID generated by Hashicorp Vault when you configured your App Role.	yes
    Authentication URL	The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login	yes
    Namespace	The name of a specified team in a multi-team environment.	no
    Vault Type	The HashiCorp Vault version: KV1, KV2. For additional information about Hashicorp Vault versions, refer to the HashiCorp Vault documentation.	yes
    KV1 Engine URL	(KV1) The URL Hashicorp Vault uses to access the KV1 engine. Example: /v1/path_to_secret. No trailing /	yes, if you select the KV1 Vault Type
    KV2 Engine URL	(KV2) The URL Hashicorp Vault uses to access the KV2 engine. Example: /v1/path_to_secret. No trailing /	yes, if you select the KV2 Vault Type
    Username Source	(KV1 and KV2) A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault.	yes
    Username Key	(KV1 and KV2) The name in Hashicorp Vault that usernames are stored under.	yes
    Authentication Password Key	(KV1 and KV2) The key in Hashicorp Vault that the SNMPv3 authentication password is stored under.	yes
    Privacy Password Key	(KV1 and KV2) The key in Hashicorp Vault that the SNMPv3 privacy password is stored under.	yes
    Secret Name	(KV1, KV2, and AD) The key secret you want to retrieve values for.	yes
    Use SSL	If enabled, Tenable Vulnerability Management uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option.	no
    Verify SSL Certificate	If enabled, validates the SSL certificate. Configure SSL in Hashicorp Vault before enabling this option.	no

13. Do one of the following:

    • If you want to save without launching the scan, click Save.

    • If you want to save and launch the scan immediately, click Save & Launch.

      Note: If you scheduled the scan to run at a later time, the Save & Launch option is not available.

What to do next:

Verify the integration is working:

1. On the My Scans page, click the Launch button to initiate an on-demand scan.

2. Once the scan completes, select the completed scan and look for the following message:

   For SNMPv3 : Plugin ID 141118. This result validates if It was possible to log into the target SNMPv3 host via the provided credentials from Hashicorp.