Privilege Escalation

Some SSH credential types support privilege escalation.

Note: BeyondTrust's PowerBroker (pbrun) and Centrify's DirectAuthorize (dzdo) are proprietary root task delegation methods for Unix and Linux systems.

Tip: Scans run using su+sudo allow the user to scan with a non-privileged account and then switch to a user with sudo privileges on the remote host. This is important for locations where remote privileged login is prohibited.

Note: Scans run using sudo vs. the root user do not always return the same results because of the different environmental variables applied to the sudo user and other subtle differences. For more information, see https://www.sudo.ws/docs/man/sudo.man/.

The following table describes the additional options to configure for privilege escalation.

Option	SSH Types	Description
Escalation Username	Arcon Kerberos Password Public Key WALLIX Bastion	The username for the account with elevated privileges.
Escalation Password	Kerberos Password Public Key WALLIX Bastion	The password for the account with elevated privileges.
Escalation Path	Arcon Kerberos Password Public Key WALLIX Bastion	The directory path for the privilege escalation commands.
Escalation Su User	Arcon CyberArk Kerberos Password Public Key WALLIX Bastion	The username for the account with su privileges.
Escalation Account Name	Arcon CyberArk Delinea Secret Server	The name parameter for the account with elevated privileges. Note: For CyberArk credentials, the system uses the password associated with the CyberArk account name you provide for all scanned hosts.
CyberArk Escalation Account Details Name	CyberArk	The name parameter for the CyberArk account with elevated privileges. Note: The system uses the password associated with the CyberArk account name you provide for all scanned hosts.
Escalation Account	CyberArk	The username for the account with elevated privileges.
Escalation sudo user	CyberArk	The username for the account with sudo privileges.
Escalation Credential ID	Delinea Secret Server	The secret name in Delinea Secret Server for the account with elevated privileges.
Location of dzdo (directory)	CyberArk Delinea Secret Server	The directory path for the dzdo command.
Location of pbrun (directory)	CyberArk Delinea Secret Server	The directory path for the pbrun command.
Location of su (directory)	CyberArk Delinea Secret Server	The directory path for the su command.
Location of su and sudo (directory)	CyberArk Delinea Secret Server	The directory path for the su and sudo commands.
Location of sudo (directory)	CyberArk Delinea Secret Server	The directory path for the sudo command.
su user	Delinea Secret Server	The username for the account with su privileges.
su login	CyberArk	The username for the account with su privileges.
sudo login	CyberArk	The username for the account with sudo privileges.
Thycotic Escalation Account	Thycotic Secret Server	The name parameter for the Thycotic account with elevated privileges. Note: The system uses the password associated with the Thycotic account name you provide for all scanned hosts.