Welcome to Tenable for HashiCorp Vault
This document provides information and steps for integrating Tenable Vulnerability Management, Tenable Nessus, or Tenable Security Center with HashiCorp Vault . For more information, refer to the following product documentation:
HashiCorp Vault provides security administrators with options to secure and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines, applications, and sensitive data using the user interface, CLI, or HTTP API. The Tenable HashiCorp Vault integration provides the ability to use credentials from within HashiCorp Secrets Engine for credentialed scanning of SSH, Windows (SMB), Database, IBM DataPower Gateway, and SNMPv3 target systems. This integration is for use with Tenable Vulnerability Management, Tenable Nessus, or Tenable Security Center for target-based credentialed scanning.
The benefits of integrating Tenable applications with HashiCorp Vault include:
-
Central management of secrets to reduce secrets sprawl
-
Access management to secrets in a multi-cloud world
-
Support for both signed and issued SSH Certificate credentials
-
A streamlined lifecycle of secrets making them easier to consume through various strategies
For additional information about HashiCorp Vault, see the HashiCorp Vault documentation.
What Information Does the HashiCorp Vault Integration Collect?
The HashiCorp integration collects the following credentials during credentialed authentication to target systems:
-
Username: The account identifier employed for authentication on the scanned target.
-
Password: The primary account password, which is sourced from HashiCorp Vault.
-
Escalation Password: A distinct password utilized when privilege escalation is active; escalation usernames are not retrieved automatically as they require manual entry.
-
Passphrase: The specific account passphrase obtained from HashiCorp Vault.
-
SSH Signed Certificate: A certificate retrieved from HashiCorp Vault specifically for SSH-based authentication.
-
SSH Private Key: A private key created inside HashiCorp Vault and pulled by the integration to facilitate SSH authentication.
API requests per target:
The integration executes two API requests to HashiCorp Vault for each scan target: an initial request to authenticate and secure an access token, followed by a subsequent request to fetch the required secret values. In instances where privilege escalation is configured with distinct credentials, the integration performs a third secret retrieval request. To optimize performance and minimize redundant network traffic, the integration caches retrieved credentials for the duration of the scan.
Credentialed scans:
Allow the Tenable scanner to log in to the target system directly and perform a deeper assessment than is possible without credentials. This includes checking installed software versions, configuration settings, patch levels, and compliance status.
What the HashiCorp Vault Integration Does Not Collect
The HashiCorp Vault integration is not designed to collect vulnerability data, software inventory, device inventory, or configuration details from target systems. It only retrieves credentials that the scanner then uses for target authentication.
Note: For compliance audits, add audit files to your scan policy. The HashiCorp integration provides credentials, while the audit files define the checks performed.
HashiCorp Vault Integration Limitations
-
The HashiCorp Vault Host must be network-accessible from the Tenable Nessus scanner.
-
For the SSH Signed Certificates vault type with added parameters, the integration requires the use of an uploaded parameters file in JSON format.