TOC & Recently Viewed

Recently Viewed Topics

Configure Tenable.io for Hashicorp Vault (SSH)

In Tenable.io, you can integrate with Hashicorp Vault using SSH credentials. Complete the following steps to configure Tenable.io with Hashicorp Vault using SSH.

Requirements

  • Tenable.io account
  • Hashicorp Vault account

Required User Role: Standard, Scan Manager, or Administrator

To integrate Tenable.io with Hashicorp Vault using SSH credentials:

  1. Log in to Tenable.io.

  1. In the top navigation bar, click Scans.

    The My Scans page appears

  2. Click + New Scan.

    The Scan Templates page appears.

  3. Select a scan template.

    The selected scan template Settings page appears.

  4. In the Name box, type a name for the scan.

  5. In the Targets box, type an IP address, hostname, or range of IP addresses.
  6. (Optional) Add a description, folder location, scanner location, and specify target groups.
  7. Click the Credentials tab.

    The Credentials options appear. By default, the Categories drop-down box displays Host.

  8. In the left menu, selectSSH.

    The SSH section appears.

  9. In the Windows section, click the Authentication method drop-down box.

    The Authentication method drop-down box options appear.

  10. Select Hashicorp Vault.

    The Hashicorp Vault options appear.

  11. Configure the SSH credentials.

    Option Default Value

    Hashicorp Vault host

    (Required) The Hashicorp Vault IP address or DNS address.

    Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

    Hashicorp Vault port

    (Required) The port on which Hashicorp Vault listens.

    Hashicorp Vault API URL The URL Tenable.io uses to access Hashicorp Vault.

    Authentication Type

    Specifies the authentication type for connecting to the instance: App Role or Certificates

    Role ID

    The GUID provided by Hashicorp Vault when you configured your App Role.

    Role Secret ID

    The GUID generated by Hashicorp Vault when you configured your App Role.

    Authentication URL

    The URL Tenable.io uses to access Hashicorp Vault.

    Namespace The name of a specified team in a multi-team environment.
    KV Engine URL The URL Tenable.io uses to access the Hashicorp Vault secrets engine.

    Username Source

    A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault.

    Username Key

    The key name in Hashicorp Vault that usernames are stored under.

    Password Key The key name in Hashicorp Vault that passwords are stored under.
    Secret Name The key secret you want to retrieve values for.
    Use SSL If enabled, Tenable.io uses SSL through IIS for secure communications. You must configure SSL through IIS in Hashicorp Vault before enabling this option.
    Verify SSL If enabled, Tenable.io validates the SSL certificate. You must configure SSL through IIS in Hashicorp Vault before enabling this option.
  1. Click Save.

What to do next:

To verify the integration is working:

  1. On the My Scans page, click the Launch button to initiate an on-demand scan.

  2. Once the scan has completed, select the completed scan and look for Plugin ID 97993 and the corresponding message - It was possible to log into the remote host via SSH using 'password' authentication. This result validates that authentication was successful.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.