Configure Tenable Core Multi-Factor Authentication

You can log into the Tenable Core user interface with multi-factor authentication (MFA). This topic explains how to configure MFA for Tenable Core and only applies to the user interface. Using MFA requires a Google Authenticator token.

Note: This feature is not available for the root user.

Note: The multi-factor authentication feature is global and, after this change, all users are required to use MFA to log in.

To enable MFA for Tenable Core user interface login:

  1. Install the Oracle EPEL repositories by running the following command:

    sudo dnf install oracle-epel-release-el8

    Note: It may require several minutes for the install to complete.

  2. Disable Oracle EPEL repositories by default by running the following command:

    sudo dnf config-manager --disable 'ol8_developer_EPEL*'

  3. Install the Google Authenticator client and dependencies by running the following command:

    sudo dnf install --enablerepo=ol8_developer_EPEL google-authenticator qrencode

  4. For each user that needs to use MFA when logging in to the Tenable Core user interface, do one of the following:

    Note: The multi-factor authentication feature is global and, after this change, all users are required to use MFA to log in.

    1. Run the following command as the user:

      google-authenticator -t -d -f -u -w 5

      Note: If using the Tenable Core user interface terminal, add -Q utf8 to the google-authenticator -t -d -f -u -w 5 command.

      Note: Running this command for the same user more than once invalidates previous codes.

      1. In your authenticator app, scan the QR code.

      2. Enter the confirmation code from the app.

      3. (Optional, but recommended) Save the emergency scratch codes.

    2. Alternatively, for full control over the MFA token creation options, run the following command:

      google-authenticator

  5. Run the following command:

    sudoedit /etc/pam.d/cockpit

  6. Under the auth substack password-auth line add:

    auth required pam_google_authenticator.so

  7. Confirm that the first six lines of the /etc/pam.d/cockpit file look like this:

    #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth required pam_google_authenticator.so auth include postlogin auth optional pam_ssh_add.so .......

  8. Log into the Tenable Core user interface.

To disable MFA for Tenable Core user interface login:

  1. Locate the file /etc/pam.d/cockpit:

    #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth required pam_google_authenticator.so auth include postlogin auth optional pam_ssh_add.so .......

  2. Remove the line auth required pam_google_authenticator.so:

    #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin auth optional pam_ssh_add.so .......

  3. Save the file.