TOC & Recently Viewed

Recently Viewed Topics

Privilege Escalation

Some credential Type and Authentication Method combinations support privilege escalation.

Note: BeyondTrust's PowerBroker (pbrun) and Centrify's DirectAuthorize (dzdo) are proprietary root task delegation methods for Unix and Linux systems.

Tip: Scans run using su+sudo allow the user to scan with a non-privileged account and then switch to a user with sudo privileges on the remote host. This is important for locations where remote privileged login is prohibited.

Note: Scans run using sudo vs. the root user do not always return the same results because of the different environmental variables applied to the sudo user and other subtle differences. For more information, see: https://www.sudo.ws/man/sudo.man.html.

The following table describes the options to configure for privilege escalation. Your Authentication Method and CyberArk elevate privileges with selections determine the specific options you must configure.

Option Description
Escalation Username

(Required for some Kerberos, Password, and Public Key privilege escalations) The username for the account with elevated privileges.

Escalation Password

(Required for some Kerberos, Password, and Public Key privilege escalations) The password for the account with elevated privileges.

Escalation Path (Required for some Kerberos, Password, and Public Key privilege escalations) The directory path for the privilege escalation commands.
Escalation Su User

(Required for some CyberArk, Kerberos, Password, and Public Key privilege escalations) The username for the account with su privileges.

CyberArk Account Details Name

(Required for some CyberArk privilege escalations) The name parameter for the CyberArk account with elevated privileges.

Escalation Account (Required for some CyberArk privilege escalations) The username for the account with elevated privileges.
Escalation sudo user (Required for some CyberArk privilege escalations) The username for the account with sudo privileges.
Location of dzdo (directory) (Required for some CyberArk privilege escalations) The directory path for the dzdo command.
Location of pbrun (directory) (Required for some CyberArk privilege escalations) The directory path for the pbrun command.
Location of su (directory) (Required for some CyberArk privilege escalations) The directory path for the su command.
Location of su and sudo (directory) (Required for some CyberArk privilege escalations) The directory path for the su and sudo commands.
Location of sudo (directory) (Required for some CyberArk privilege escalations) The directory path for the sudo command.
su login (Required for some CyberArk privilege escalations) The username for the account with su privileges.
sudo login (Required for some CyberArk privilege escalations) The username for the account with sudo privileges.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.