Host
Tenable Vulnerability Management supports the following forms of host authentication:
Use SNMPv3 credentials to scan remote systems that use an encrypted network management protocol (including network devices). Tenable Vulnerability Management uses these credentials to scan for patch auditing or compliance checks.
Note: SNMPv3 options are only available in the Advanced Network Scan template.
Click SNMPv3 in the Credentials list to configure the following settings:
| Option | Description | Default |
Required |
|---|---|---|---|
|
Username |
|
- | yes |
|
Port |
The TCP port that SNMPv3 listens on for communications from Tenable Vulnerability Management. |
161 | no |
|
Security level |
The security level for SNMP:
|
Authentication and privacy | yes |
|
Authentication algorithm |
The algorithm the remove service supports: , SHA1, SHA224, SHA-256, SHA-384, SHA-512 or MD5. |
SHA1 | yes (if you select authentication) |
|
Authentication password |
|
- | yes (if you select authentication) |
|
Privacy algorithm |
The encryption algorithm to use for SNMP traffic: AES, AES-192, AES-192C, AES-256, AES-256C, or DES. |
AES-192 |
yes (if you select authentication with privacy) |
|
Privacy password |
|
- | yes (if you select authentication with privacy) |
Use SSH credentials for host-based checks on Unix systems and supported network devices. Tenable Vulnerability Management uses these credentials to obtain local information from remote Unix systems for patch auditing or compliance checks. Tenable Vulnerability Management uses Secure Shell (SSH) protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-based checks.
Tenable Vulnerability Management encrypts the data to protect it from being viewed by sniffer programs.
Note: Non-privileged users with local access on Linux systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, an account with root privileges is required.
Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable recommends adding no more than 10 SSH credentials per scan.
Select SSH in the Credentials list to configure the settings for the following SSH authentication methods:
Public Key Encryption, also referred to as asymmetric key encryption, provides a more secure authentication mechanism by the use of a public and private key pair. In asymmetric cryptography, the public key is used to encrypt data and the private key is used to decrypt it. The use of public and private keys is a more secure and flexible method for SSH authentication. Tenable Vulnerability Management supports both DSA and RSA key formats.
Like Public Key Encryption, Tenable Vulnerability Management supports RSA and DSA OpenSSH certificates. Tenable Vulnerability Management also requires the user certificate, which is signed by a Certificate Authority (CA), and the user’s private key.
Note:Tenable Vulnerability Management supports the OpenSSH SSH public key format. Formats from other SSH applications, including PuTTY and SSH Communications Security, must be converted to OpenSSH public key format.
The most effective credentialed scans are when the supplied credentials have root privileges. Since many sites do not permit a remote login as root, Tenable Vulnerability Management can invoke su, sudo, su+sudo, dzdo, .k5login, or pbrun with a separate password for an account that has been set up to have su or sudo privileges. In addition, Tenable Vulnerability Management can escalate privileges on Cisco devices by selecting Cisco ‘enable’ or .k5login for Kerberos logins.
Note:Tenable Vulnerability Management supports the blowfish-cbc, aes-cbc, and aes-ctr cipher algorithms. Some commercial variants of SSH do not have support for the blowfish algorithm, possibly for export reasons. It is also possible to configure an SSH server to accept certain types of encryption only. Check your SSH server to ensure the correct algorithm is supported.
Tenable Vulnerability Management encrypts all passwords stored in policies. However, the use of SSH keys for authentication rather than SSH passwords is recommended. This helps ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a log into a system that may not be under your control.
Note: For supported network devices, Tenable Vulnerability Management only supports the network device’s username and password for SSH connections.
If an account other than root must be used for privilege escalation, it can be specified under the Escalation account with the Escalation password.
| Option | Description | Required |
|---|---|---|
|
Username |
The username to authenticate to the host. |
yes |
|
Private Key |
The RSA or DSA Open SSH key file of the user. |
yes |
|
Private key passphrase |
The passphrase of the Private Key. |
no |
| Elevate privileges with | The privilege escalation method you want to use to increase users' privileges after initial authentication. Your selection determines the specific options you must configure. For more information, see Privilege Escalation. | no |
| Targets to prioritize credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username to authenticate to the host. |
yes |
|
User Certificate |
The RSA or DSA Open SSH certificate file of the user. |
yes |
|
Private Key |
The RSA or DSA Open SSH key file of the user. |
yes |
|
Private key passphrase |
The passphrase of the Private Key. |
no |
| Elevate privileges with | The privilege escalation method you want to use to increase users' privileges after initial authentication. Your selection determines the specific options you must configure. For more information, see Privilege Escalation. | no |
| Targets to prioritize credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.
| Option | Description | Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the CyberArk AIM Web Service. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
| Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
| Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
| Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
yes, if private key is applied |
|
Kerberos Target Authentication |
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. |
no |
|
Key Distribution Center (KDC) |
(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user. |
yes |
|
KDC Port |
The port on which the Kerberos authentication API communicates. By default, Tenable uses 88. |
|
|
KDC Transport |
The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation. |
|
|
Realm |
(Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com). By default, Tenable Vulnerability Management uses 443. |
yes |
| Get credential by |
The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address. |
yes |
| Username |
(If Get credential by is Username) The username of the CyberArk user to request a password from. |
no |
| Safe |
The CyberArk safe the credential should be retrieved from. |
no |
| Address | The option should only be used if the Address value is unique to a single CyberArk account credential. | no |
| Account Name | (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. | no |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
no |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
You can now take advantage of a significant improvement to Tenable’s CyberArk Integration which gathers bulk account information for specific target groups without entering multiple targets. For more information, see CyberArk Dynamic Scanning in the Tenable CyberArk Integrations Guide.
| Option | Description | Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the user’s CyberArk Instance. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
| Safe |
Users may optionally specify a Safe to gather account information and request passwords. |
no |
| AIM Web Service Authentication Type | There are two authentication methods established in the feature. IIS Basic Authentication and Certificate Authentication. Certificate Authentication can be either encrypted or unencrypted. |
yes |
| CyberArk PVWA Web UI Login Name | Username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. |
yes |
| CyberArk PVWA Web UI Login Password | Password for the username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. |
yes |
| CyberArk Platform Search String |
String used in the PVWA REST API query parameters to gather bulk account information. For example, the user can enter UnixSSH Admin TestSafe, to gather all UnixSSH platform accounts containing a username Admin in a Safe called TestSafe. Note: This is a non-exact keyword search. A best practice would be to create a custom platform name in CyberArk and enter that value in this field to improve accuracy. |
yes |
|
Elevate Privileges with |
Users can only select Nothing or sudo at this time. |
no |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
yes |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username of the target system. |
yes |
|
CyberArk AIM Service URL |
The URL for the CyberArk AIM web service. By default, Tenable Vulnerability Management uses /AIMWebservice/v1.1/AIM.asmx. |
no |
|
Central Credential Provider Host |
The CyberArk Central Credential Provider IP/DNS address. |
yes |
|
Central Credential Provider Port |
The port on which the CyberArk Central Credential Provider is listening. |
yes |
|
Central Credential Provider Username |
The username of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication. |
no |
|
Central Credential Provider Password |
The password of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication. |
no |
|
Safe |
The safe on the CyberArk Central Credential Provider server that contained the authentication information that you want to retrieve. |
yes |
| CyberArk Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
| CyberArk Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
no |
| CyberArk Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
no |
|
AppId |
The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password. |
yes |
|
Folder |
The folder on the CyberArk Central Credential Provider server that contains the authentication information that you want to retrieve. |
yes |
|
PolicyId |
The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. |
no |
|
Use SSL |
If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication. |
no |
|
Verify SSL Certificate |
If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate check this. Refer to custom_CA.inc documentation for how to use self-signed certificates. |
no |
| Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
| CyberArk Account Details Name | The unique name of the credential you want to retrieve from CyberArk. |
no |
| CyberArk Address | The domain for the user account. |
no |
| CyberArk elevate privileges with | The privilege escalation method you want to use to increase users' privileges after initial authentication. Your selection determines the specific options you must configure. |
no |
| Custom password prompt | The password prompt used by the target host. Only use this setting when an interactive SSH session fails due to Tenable Vulnerability Management receiving an unrecognized password prompt on the target host's interactive SSH shell. |
no |
| Option | Description | Required |
|---|---|---|
| Delinea Authentication Method | Indicates whether to use credentials or an API key for authentication. By default, Credentials is selected. | yes |
|
Delinea Login Name |
The username to authenticate to the Delinea server. |
yes |
|
Delinea Password |
The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided. |
yes |
| Delinea API Key | The API key generated in the Secret Server user interface. This setting is required if the API Key authentication method is selected. | yes |
|
Delinea Secret |
The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server. |
yes |
|
Delinea Host |
The Delinea Secret Server host to pull the secrets from. |
yes |
|
Delinea Port |
The Delinea Secret Server Port for API requests. By default, Tenable uses 443. |
yes |
|
Use Private Key |
If enabled, uses key-based authentication for SSH connections instead of password authentication. |
no |
|
Use SSL |
Enable if the Delinea Secret Server is configured to support SSL. |
no |
|
Verify SSL Certificate |
If enabled, verifies the SSL Certificate on the Delinea server. |
no |
|
Elevate privileges with |
The privilege escalation method you want to use to increase users' privileges after initial authentication. Multiple options for privilege escalation are supported, including su, su+sudo and sudo. Your selection determines the specific options you must configure. |
no |
| Custom password prompt | Some devices are configured to prompt for a password with a non-standard string (for example, "secret-passcode"). This setting allows recognition of these prompts. Leave this blank for most standard password prompts. |
no |
| Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
HashiCorp Vault is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can retrieve credentials from HashiCorp Vault to use in a scan.
| Windows and SSH Credentials | ||
|---|---|---|
| Option | Description |
Required |
| Hashicorp Vault host |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
yes |
| Hashicorp Vault port | The port on which Hashicorp Vault listens. | yes |
| Authentication Type |
Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for Hashicorp Client Certificate(Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key. |
yes |
| Role ID | The GUID provided by Hashicorp Vault when you configured your App Role. | yes |
| Role Secret ID |
The GUID generated by Hashicorp Vault when you configured your App Role. |
yes |
| Authentication URL |
The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login |
yes |
| Namespace | The name of a specified team in a multi-team environment. | no |
| Vault Type |
The Tenable Vulnerability Management version: KV1, KV2, AD, or LDAP. For additional information about Tenable Vulnerability Management versions, see the Tenable Vulnerability Management documentation. |
yes |
| KV1 Engine URL |
(KV1) The URL Tenable Vulnerability Management uses to access the KV1 engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the KV1 Vault Type |
| KV2 Engine URL |
(KV2) The URL Tenable Vulnerability Management uses to access the KV2 engine. Example: /v1/kv_mount_name. No trailing / Note: You cannot use the path to the secret for the KV2 Engine URL because an additional string/segment, data, gets injected into the read request made to Vault for KV v2 stores. Only enter the name of the KV mount, not the path to the secret, in the Engine URL field. Note: You do not need to include the data segment yourself. If you include it in the secret name/path, the read call to Vault includes /data/data, which is invalid. |
yes, if you select the KV2 Vault Type |
| AD Engine URL |
(AD) The URL Tenable Vulnerability Management uses to access the Active Directory engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the AD Vault Type |
| LDAP Engine URL |
(LDAP) The URL Tenable Vulnerability Management uses to access the LDAP engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the LDAP Vault Type |
| Username Source | (KV1 and KV2) A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault. | yes |
| Username Key | (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. | yes |
| Domain Key | (KV1 and KV2) The name in Hashicorp Vault that domains are stored under. | no |
| Password Key | (KV1 and KV2) The key in Hashicorp Vault that passwords are stored under. | yes |
| Secret Name | (KV1, KV2, and AD) The key secret you want to retrieve values for. | yes |
|
Kerberos Target Authentication |
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. |
no |
|
Key Distribution Center (KDC) |
(Required if Kerberos Target Authentication is enabled.) This host supplies the session tickets for the user. |
yes |
|
KDC Port |
The port on which the Kerberos authentication API communicates. By default, Tenable uses 88. |
no |
|
KDC Transport |
The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation. |
no |
|
Domain (Windows) |
(Required if Kerberos Target Authentication is enabled.) The domain to which Kerberos Target Authentication belongs, if applicable. |
yes |
|
Realm (SSH) |
(Required if Kerberos Target Authentication is enabled.) The Realm is the authentication domain, usually noted as the domain name of the target (e.g., example.com). |
yes |
| Use SSL | If enabled, Tenable Vulnerability Management uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option. | no |
| Verify SSL Certificate | If enabled, Tenable Vulnerability Management uses SSL for secure communications. Hashicorp Vault must be using SSL to enable this option. | no |
| Enable for Tenable Vulnerability Management | Enables/disables IBM DataPower Gateway use with Tenable Vulnerability Management. | yes |
| Escalate Privileges with (SSH) |
Use a privilege escalation method such as su or sudo to use extra privileges when scanning. Note: Tenable supports multiple options for privilege escalation, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through Tenable Vulnerability Management. The Escalation Account Name field is then required to complete your privilege escalation. Note: For more information about supported privilege escalation types and their accompanying fields, see the Nessus User Guide and the Tenable Vulnerability Management User Guide. |
Required if you wish to escalate privileges. |
| Escalation account credential ID or identifier (SSH) | If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. | no |
Kerberos, developed by MIT’s Project Athena, is a client/server application that uses a symmetric key encryption protocol. In symmetric encryption, the key used to encrypt the data is the same as the key used to decrypt the data. Organizations deploy a KDC (Key Distribution Center) that contains all users and services that require Kerberos authentication. Users authenticate to Kerberos by requesting a TGT (Ticket Granting Ticket). Once a user is granted a TGT, it can be used to request service tickets from the KDC to be able to utilize other Kerberos based services. Kerberos uses the CBC (Cipher Block Chain) DES encryption protocol to encrypt all communications.
Note: You must already have a Kerberos environment established to use this method of authentication.
The Tenable Vulnerability Management implementation of Unix-based Kerberos authentication for SSH supports the aes-cbc and aes-ctr encryption algorithms. An overview of how Tenable Vulnerability Management interacts with Kerberos is as follows:
- The end user gives the IP of the KDC.
- The nessusd asks sshd if it supports Kerberos authentication.
- The sshd says yes.
- The nessusd requests a Kerberos TGT, along with login and password.
- Kerberos sends a ticket back to nessusd.
- The nessusd gives the ticket to sshd.
- The nessusd is logged in.
In both Windows and SSH credentials settings, you can specify credentials using Kerberos keys from a remote system. There are differences in the configurations for Windows and SSH.
| Option | Description | Required |
|---|---|---|
|
Username |
The username of the target system. |
yes |
|
Password |
The password of the username specified. |
yes |
|
Key Distribution Center (KDC) |
This host supplies the session tickets for the user. |
yes |
|
KDC Port |
Directs Tenable Vulnerability Management to connect to the KDC if it is running on a port other than 88. |
no |
|
KDC Transport |
The method by which you want to access the KDC server. Note: if you set KDC Transport to UDP, you may also need to change the port number, because depending on the implementation, the KDC UDP protocol uses either port 88 or 750 by default. |
no |
|
Realm |
The authentication domain, usually noted as the domain name of the target (for example, example.com). |
yes |
| Elevate privileges with | The privilege escalation method you want to use to increase users' privileges after initial authentication. Your selection determines the specific options you must configure. For more information, see Privilege Escalation. | no |
| Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
If Kerberos is used, sshd must be configured with Kerberos support to verify the ticket with the KDC. Reverse DNS lookups must be properly configured for this to work. The Kerberos interaction method must be gssapi-with-mic.
| Option | Description | Required |
|---|---|---|
|
Username |
The username of the target system. |
yes |
|
Password |
The password of the username specified. |
yes |
| Elevate privileges with | The privilege escalation method you want to use to increase users' privileges after initial authentication. Your selection determines the specific options you must configure. For more information, see Privilege Escalation. |
no |
| Custom password prompt |
The password prompt used by the target host. Only use this setting when an interactive SSH session fails due to Tenable Vulnerability Management receiving an unrecognized password prompt on the target host's interactive SSH shell. |
no |
| Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
Lieberman is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.
| Option | Description | Required |
|---|---|---|
| Username | The target system’s username. |
yes |
| Lieberman host |
The Lieberman IP/DNS address. Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
yes |
| Lieberman port | The port on which Lieberman listens. |
yes |
| Lieberman API URL | The URL Tenable Vulnerability Management uses to access Lieberman. | no |
| Lieberman user | The Lieberman explicit user for authenticating to the Lieberman RED API. |
yes |
| Lieberman password | The password for the Lieberman explicit user. |
yes |
| Lieberman Authenticator |
The alias used for the authenticator in Lieberman. The name should match the name used in Lieberman. Note: If you use this option, append a domain to the Lieberman user option, i.e., domain\user. |
no |
| Lieberman Client Certificate |
The file that contains the PEM certificate used to communicate with the Lieberman host. Note: If you use this option, you do not have to enter information in the Lieberman user, Lieberman password, and Lieberman Authenticator fields. |
no |
| Lieberman Client Certificate Private Key | The file that contains the PEM private key for the client certificate. | no |
| Lieberman Client Certificate Private Key Passphrase | The passphrase for the private key, if required. | no |
| Use SSL |
If Lieberman is configured to support SSL through IIS, check for secure communication. |
no |
| Verify SSL Certificate |
If Lieberman is configured to support SSL through IIS and you want to validate the certificate, check this option. Refer to Custom CA documentation for how to use self-signed certificates. |
no |
| Targets to Prioritize Credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
| System Name | In the rare case your organization uses one default Lieberman entry for all managed systems, enter the default entry name. |
no |
| Custom password prompt | The password prompt used by the target host. Only use this setting when an interactive SSH session fails due to Tenable Vulnerability Management receiving an unrecognized password prompt on the target host's interactive SSH shell. |
no |
| Option | Description | Required |
|---|---|---|
|
QiAnXin Host |
The IP address or url for the QiAnXin host. |
yes |
|
QiAnXin Port |
The port on which the QiAnXin API communicates. By default, Tenable uses 443. |
yes |
|
QiAnXin API Client ID |
The Client ID for the embedded account application created in QiAnXin PAM. |
yes |
| QiAnXin API Secret ID | The Secret ID for the embedded account application created in QiAnXin PAM. |
yes |
| Username | The username to log in to the hosts you want to scan. | yes |
| Host IP | Specify the host IP of the asset containing the account to use. If not specified, the scan target IP is used. | no |
| Platform |
Specify the platform (based on asset type) of the asset containing the account to use. If not specified, a default target is used based on credential type (for example, for Windows credentials, the default is WINDOWS). Possible values:
|
no |
| Region ID | Specify the region ID of the asset containing the account to use. | Only if using multiple regions |
| Escalate Privileges with |
Use the drop-down menu to select the privilege elevation method, or select “Nothing” to skip privilege elevation. Note: Tenable supports multiple options for privilege escalation, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through QiAnXin. The Escalation Account Name field is only required if the escalation password differs from the normal login password. Note: For more information about supported privilege escalation types and their accompanying fields, see the Nessus User Guide or the Tenable Vulnerability Management User Guide. |
Required if you wish to escalate privileges. |
| Escalation Account Username | If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. | no |
| Use SSL | When enabled, Tenable uses SSL for secure communication. This is enabled by default. |
no |
|
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL Certificate on the server is signed by a trusted CA. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username to authenticate via SSH to the system. |
yes |
|
Thycotic Secret Name |
The value of the secret on the Thycotic server. The secret is labeled Secret Name on the Thycotic server. |
yes |
|
Thycotic Secret Server URL |
The transfer method, target, and target directory for the scanner. You can find this value on the Thycotic server in Admin > Configuration > Application Settings > Secret Server URL. For example, consider the following address:
|
yes |
|
Thycotic Login Name |
The username to authenticate to the Thycotic server. |
yes |
|
Thycotic Password |
The password to authenticate to the Thycotic server. |
yes |
|
Thycotic Organization |
The organization you want to query. You can use this value for cloud instances of Thycotic. |
no |
|
Thycotic Domain |
The domain of the Thycotic server. |
no |
|
Use Private Key |
The key for the SSH connection, if you do not use a password. |
no |
|
Verify SSL Certificate |
Whether you want to verify if the SSL Certificate on the server is signed by a trusted CA. |
no |
| Thycotic elevate privileges with | The privilege escalation method you want to use to increase users' privileges after initial authentication. Multiple options for privilege escalation are supported, including su, su+sudo and sudo. Your selection determines the specific options you must configure. For more information, see Privilege Escalation. |
no |
| Custom password prompt | The password prompt used by the target host. Only use this setting when an interactive SSH session fails due to Tenable Vulnerability Management receiving an unrecognized password prompt on the target host's interactive SSH shell. |
no |
| Targets to prioritize credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username to log in to the hosts you want to scan. |
yes |
|
BeyondTrust host |
The BeyondTrust IP address or DNS address. |
yes |
|
BeyondTrust port |
The port on which BeyondTrust listens. |
yes |
|
BeyondTrust API user |
The API user provided by BeyondTrust. |
yes |
|
BeyondTrust API key |
The API key provided by BeyondTrust. |
yes |
|
Checkout duration |
The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the Checkout duration to exceed the typical duration of your Tenable Vulnerability Management scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Note: Configure the password change interval in BeyondTrust so that password changes do not disrupt your Tenable Vulnerability Management scans. If BeyondTrust changes a password during a scan, the scan fails. |
yes |
|
Use SSL |
When enabled, Tenable Vulnerability Management uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option. |
no |
|
Verify SSL certificate |
When enabled, Tenable Vulnerability Management validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option. |
no |
|
Use private key |
When enabled, Tenable Vulnerability Management uses private key-based authentication for SSH connections instead of password authentication. If it fails, the password is requested. |
no |
|
Use privilege escalation |
When enabled, BeyondTrust uses the configured privilege escalation command. If it returns something, it will use it for the scan. |
no |
| Custom password prompt | The password prompt used by the target host. Only use this setting when an interactive SSH session fails due to Tenable Vulnerability Management receiving an unrecognized password prompt on the target host's interactive SSH shell. |
no |
| Targets to prioritize credentials |
Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list. Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster. |
no |
These settings apply to all SSH-type credentials in the current scan. You can edit these settings in any instance of the credential type in the current scan; your changes automatically apply to the other credentials of that type in the scan.
| Option | Default Value | Description |
|---|---|---|
|
known_hosts file |
None |
If you upload an SSH known_hosts file, Tenable Vulnerability Management only attempts to log in to hosts in this file. This can ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a log into a system that may not be under your control. |
|
Preferred port |
22 |
The port on which SSH is running on the target system. |
|
Client version |
OpenSSH_5.0 |
The type of SSH client Tenable Vulnerability Management impersonates while scanning. |
|
Attempt least privilege |
Cleared |
Enables or disables dynamic privilege escalation. When enabled, Tenable Vulnerability Management attempts to run the scan with an account with lesser privileges, even if the Elevate privileges with option is enabled. If a command fails, Tenable Vulnerability Management escalates privileges. Plugins 101975 and 101976 report which plugins ran with or without escalated privileges. Note: Enabling this option may increase scan run time by up to 30%. |
| Option | Description |
|---|---|
| Centrify Host |
(Required) The Centrify IP address or DNS address. Note: If your Centrify installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Centrify Port | (Required) The port on which Centrify listens. By default, Tenable Vulnerability Management uses port 443. |
| API User | (Required) The API user provided by Centrify. |
| API Key | (Required) The API key provided by Centrify. |
| Tenant | (Required) The Centrify tenant associated with the API. By default, Tenable Vulnerability Management uses centrify. |
| Authentication URL | (Required) The URL Tenable Vulnerability Management uses to access Centrify. By default, Tenable Vulnerability Management uses /Security. |
| Password Query URL | (Required) The URL Tenable Vulnerability Management uses to query the passwords in Centrify. By default, Tenable Security Center uses /RedRock. |
| Password Engine URL |
(Required) The URL Tenable Vulnerability Management uses to access the passwords in Centrify. By default, Tenable Vulnerability Management uses /ServerManage. |
| Username | (Required) The username to log in to the hosts you want to scan. |
| Checkout Duration |
(Required) The length of time, in minutes, that you want to keep credentials checked out in Centrify. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans so that password changes do not disrupt your Tenable Vulnerability Management scans. If Centrify changes a password during a scan, the scan fails. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. |
| Use SSL | When enabled, Tenable Vulnerability Management uses SSL through IIS for secure communications. You must configure SSL through IIS in Centrify before enabling this option. |
| Verify SSL Certificate | When enabled, Tenable Vulnerability Management validates the SSL certificate. You must configure SSL through IIS in Centrify before enabling this option. |
| Option | Description |
|---|---|
| Arcon Host |
(Required) The Arcon IP address or DNS address. Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Arcon Port | (Required) The port on which Arcon listens. By default, Tenable Security Center uses port 444. |
| API User | (Required) The API user provided by Arcon. |
| API Key | (Required) The API key provided by Arcon. |
| Authentication URL | (Required) The URL Tenable Security Center uses to access Arcon. |
| Password Engine URL |
(Required) The URL Tenable Security Center uses to access the passwords in Arcon. |
| Username | (Required) The username to log in to the hosts you want to scan. |
| Arcon Target Type | (Optional) The name of the target type. Depending on the Arcon PAM version you are using and the system type the SSH credential has been created with, this is set to linux by default. Refer to the Arcon PAM Specifications document (provided by Arcon) for target type/system type mapping for the correct target type value. |
| Checkout Duration |
(Required) The length of time, in hours, that you want to keep credentials checked out in Arcon. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable Security Center scans. If Arcon changes a password during a scan, the scan fails. |
| Use SSL | When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option. |
| Verify SSL Certificate | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option. |
| Privilege Escalation | The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation. |
Note: Non-privileged users with local access on Unix systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, an account with root privileges is required.
Click Windows in the Credentials list to configure settings for the following Windows-based authentication methods:
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from CyberArk to use in a scan.
| Option | Description | Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
| Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
| Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
| Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
yes, if private key is applied |
|
Kerberos Target Authentication |
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. |
no |
|
Key Distribution Center (KDC) |
(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user. |
yes |
|
KDC Port |
The port on which the Kerberos authentication API communicates. By default, Tenable uses 88. |
|
|
KDC Transport |
The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation. |
|
| Get credential by |
The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address. |
yes |
| Username |
(If Get credential by is Username) The username of the CyberArk user to request a password from. |
no |
| Safe |
The CyberArk safe the credential should be retrieved from. |
no |
| Address | The option should only be used if the Address value is unique to a single CyberArk account credential. | no |
| Account Name | (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. | no |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
no |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
You can now take advantage of a significant improvement to Tenable’s CyberArk Integration which gathers bulk account information for specific target groups without entering multiple targets. For more information, see CyberArk Dynamic Scanning in the Tenable CyberArk Integrations Guide.
|
Option |
Description |
Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the user’s CyberArk Instance. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
|
Safe |
Users may optionally specify a Safe to gather account information and request passwords. |
no |
|
AIM Web Service Authentication Type |
There are two authentication methods established in the feature. IIS Basic Authentication and Certificate Authentication. Certificate Authentication can be either encrypted or unencrypted. |
yes |
|
CyberArk PVWA Web UI Login Name |
Username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. |
yes |
|
CyberArk PVWA Web UI Login Password |
Password for the username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. |
yes |
|
CyberArk Platform Search String |
String used in the PVWA REST API query parameters to gather bulk account information. For example, the user can enter UnixSSH Admin TestSafe, to gather all Windows platform accounts containing a username Admin in a Safe called TestSafe. Note: This is a non-exact keyword search. A best practice would be to create a custom platform name in CyberArk and enter that value in this field to improve accuracy. |
yes |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
yes |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username of the target system. |
yes |
| CyberArk AIM Service URL | The URL for the CyberArk AIM web service. By default, Tenable Vulnerability Management uses /AIMWebservice/v1.1/AIM.asmx. |
no |
|
Domain |
The domain to which the username belongs. |
no |
|
Central Credential Provider Host |
The CyberArk Central Credential Provider IP/DNS address. |
yes |
|
Central Credential Provider Port |
The port on which the CyberArk Central Credential Provider is listening. |
yes |
|
Central Credential Provider Username |
The username of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication. |
no |
|
Central Credential Provider Password |
The password of the vault, if the CyberArk Central Credential Provider is configured to use basic authentication. |
no |
|
Safe |
The safe on the CyberArk Central Credential Provider server that contained the authentication information that you want to retrieve. |
yes |
| CyberArk Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
| CyberArk Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
no |
| CyberArk Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
no |
|
AppId |
The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password. |
yes |
|
Folder |
The folder on the CyberArk Central Credential Provider server that contains the authentication information that you want to retrieve. |
yes |
|
PolicyId |
The PolicyID assigned to the credentials that you want to retrieve from the CyberArk Central Credential Provider. |
no |
|
Use SSL |
If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication. |
no |
|
Verify SSL Certificate |
If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate check this. Refer to custom_CA.inc documentation for how to use self-signed certificates. |
no |
| CyberArk Account Details Name | The unique name of the credential you want to retrieve from CyberArk. |
no |
| Option | Description | Required |
|---|---|---|
| Delinea Authentication Method | Indicates whether to use credentials or an API key for authentication. By default, Credentials is selected. | yes |
|
Delinea Login Name |
The username to authenticate to the Delinea server. |
yes |
|
Delinea Password |
The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided. |
yes |
| Delinea API Key | The API key generated in the Secret Server user interface. This setting is required if the API Key authentication method is selected. | yes |
|
Delinea Secret |
The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server. |
yes |
|
Delinea Host |
The Delinea Secret Server IP address for API requests. |
yes |
|
Delinea Port |
The Delinea Secret Server Port for API requests. By default, Tenable uses 443. |
yes |
|
Delinea Password |
The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided. |
yes |
|
Checkout Duration |
The duration Tenable should check out the password from Delinea. Duration time is in hours and should be longer than the scan time. |
yes |
|
Use SSL |
Enable if the Delinea Secret Server is configured to support SSL. |
no |
|
Verify SSL Certificate |
If enabled. verifies the SSL Certificate on the Delinea server. |
no |
HashiCorp Vault is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can retrieve credentials from HashiCorp Vault to use in a scan.
| Windows and SSH Credentials | ||
|---|---|---|
| Option | Description |
Required |
| Hashicorp Vault host |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
yes |
| Hashicorp Vault port | The port on which Hashicorp Vault listens. | yes |
| Authentication Type |
Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for Hashicorp Client Certificate(Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key. |
yes |
| Role ID | The GUID provided by Hashicorp Vault when you configured your App Role. | yes |
| Role Secret ID |
The GUID generated by Hashicorp Vault when you configured your App Role. |
yes |
| Authentication URL |
The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login |
yes |
| Namespace | The name of a specified team in a multi-team environment. | no |
| Vault Type |
The Tenable Vulnerability Management version: KV1, KV2, AD, or LDAP. For additional information about Tenable Vulnerability Management versions, see the Tenable Vulnerability Management documentation. |
yes |
| KV1 Engine URL |
(KV1) The URL Tenable Vulnerability Management uses to access the KV1 engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the KV1 Vault Type |
| KV2 Engine URL |
(KV2) The URL Tenable Vulnerability Management uses to access the KV2 engine. Example: /v1/kv_mount_name. No trailing / Note: You cannot use the path to the secret for the KV2 Engine URL because an additional string/segment, data, gets injected into the read request made to Vault for KV v2 stores. Only enter the name of the KV mount, not the path to the secret, in the Engine URL field. Note: You do not need to include the data segment yourself. If you include it in the secret name/path, the read call to Vault includes /data/data, which is invalid. |
yes, if you select the KV2 Vault Type |
| AD Engine URL |
(AD) The URL Tenable Vulnerability Management uses to access the Active Directory engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the AD Vault Type |
| LDAP Engine URL |
(LDAP) The URL Tenable Vulnerability Management uses to access the LDAP engine. Example: /v1/path_to_secret. No trailing / |
yes, if you select the LDAP Vault Type |
| Username Source | (KV1 and KV2) A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault. | yes |
| Username Key | (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. | yes |
| Domain Key | (KV1 and KV2) The name in Hashicorp Vault that domains are stored under. | no |
| Password Key | (KV1 and KV2) The key in Hashicorp Vault that passwords are stored under. | yes |
| Secret Name | (KV1, KV2, and AD) The key secret you want to retrieve values for. | yes |
|
Kerberos Target Authentication |
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. |
no |
|
Key Distribution Center (KDC) |
(Required if Kerberos Target Authentication is enabled.) This host supplies the session tickets for the user. |
yes |
|
KDC Port |
The port on which the Kerberos authentication API communicates. By default, Tenable uses 88. |
no |
|
KDC Transport |
The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation. |
no |
|
Domain (Windows) |
(Required if Kerberos Target Authentication is enabled.) The domain to which Kerberos Target Authentication belongs, if applicable. |
yes |
|
Realm (SSH) |
(Required if Kerberos Target Authentication is enabled.) The Realm is the authentication domain, usually noted as the domain name of the target (e.g., example.com). |
yes |
| Use SSL | If enabled, Tenable Vulnerability Management uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option. | no |
| Verify SSL Certificate | If enabled, Tenable Vulnerability Management uses SSL for secure communications. Hashicorp Vault must be using SSL to enable this option. | no |
| Enable for Tenable Vulnerability Management | Enables/disables IBM DataPower Gateway use with Tenable Vulnerability Management. | yes |
| Escalate Privileges with (SSH) |
Use a privilege escalation method such as su or sudo to use extra privileges when scanning. Note: Tenable supports multiple options for privilege escalation, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through Tenable Vulnerability Management. The Escalation Account Name field is then required to complete your privilege escalation. Note: For more information about supported privilege escalation types and their accompanying fields, see the Nessus User Guide and the Tenable Vulnerability Management User Guide. |
Required if you wish to escalate privileges. |
| Escalation account credential ID or identifier (SSH) | If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. | no |
| Option | Default | Description | Required |
|---|---|---|---|
|
Username |
None |
The username on the target system. |
yes |
|
Password |
None |
The user password on the target system. |
yes |
|
Key Distribution Center (KDC) |
None |
The host that supplies the session tickets for the user. |
yes |
|
KDC Port |
88 |
Directs Tenable Vulnerability Management to connect to the KDC if it is running on a port other than 88. |
no |
|
KDC Transport |
TCP |
The method by which you want to access the KDC server. Note: if you set KDC Transport to UDP, you may also need to change the port number, because depending on the implementation, the KDC UDP protocol uses either port 88 or 750 by default. |
no |
|
Domain |
None |
The Windows domain that the KDC administers. |
yes |
Lieberman is a popular enterprise password vault that helps you manage privileged credentials. Tenable Vulnerability Management can get credentials from Lieberman to use in a scan.
| Option | Description | Required |
|---|---|---|
| Username | The target system’s username. |
yes |
| Domain | The domain, if the username is part of a domain. |
no |
| Lieberman host |
The Lieberman IP/DNS address. Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path. |
yes |
| Lieberman port | The port on which Lieberman listens. |
yes |
| Lieberman API URL | The URL Tenable Vulnerability Management uses to access Lieberman. | no |
| Lieberman user | The Lieberman explicit user for authenticating to the Lieberman RED API. |
yes |
| Lieberman password | The password for the Lieberman explicit user. |
yes |
| Lieberman Authenticator |
The alias used for the authenticator in Lieberman. The name should match the name used in Lieberman. Note: If you use this option, append a domain to the Lieberman user option, i.e., domain\user. |
no |
| Lieberman Client Certificate |
The file that contains the PEM certificate used to communicate with the Lieberman host. Note: If you use this option, you do not have to enter information in the Lieberman user, Lieberman password, and Lieberman Authenticator fields. |
no |
| Lieberman Client Certificate Private Key | The file that contains the PEM private key for the client certificate. | no |
| Lieberman Client Certificate Private Key Passphrase | The passphrase for the private key, if required. | no |
| Use SSL |
If Lieberman is configured to support SSL through IIS, check for secure communication. |
no |
| Verify SSL Certificate |
If Lieberman is configured to support SSL through IIS and you want to validate the certificate, check this. Refer to custom_CA.inc documentation for how to use self-signed certificates. |
no |
| System Name | In the rare case your organization uses one default Lieberman entry for all managed systems, enter the default entry name. |
no |
The Lanman authentication method was prevalent on Windows NT and early Windows 2000 server deployments. It is retained for backward compatibility.
| Option | Description | Required |
|---|---|---|
|
Username |
The username on the target system. |
yes |
|
Hash |
The hash you want to use. |
yes |
|
Domain |
The Windows domain to which the username belongs. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username on the target system. |
yes |
|
Hash |
The hash you want to use. |
yes |
|
Domain |
The Windows domain to which the username belongs. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username on the target system. |
yes |
|
Password |
The user password on the target system. |
yes |
|
Domain |
The Windows domain to which the username belongs. |
no |
| Option | Description | Required |
|---|---|---|
|
QiAnXin Host |
The IP address or URL for the QiAnXin host. |
yes |
|
QiAnXin Port |
The port on which the QiAnXin API communicates. By default, Tenable uses 443. |
yes |
|
QiAnXin API Client ID |
The Client ID for the embedded account application created in QiAnXin PAM. |
yes |
| QiAnXin API Secret ID | The Secret ID for the embedded account application created in QiAnXin PAM. |
yes |
| Domain | The domain to which the username belongs. |
no |
| Username | The username to log in to the hosts you want to scan. |
yes |
| Host IP | Specify the host IP of the asset containing the account to use. If not specified, the scan target IP is used. |
no |
| Platform |
Specify the platform (based on asset type) of the asset containing the account to use. If not specified, a default target is used based on credential type (for example, for Windows credentials, the default is WINDOWS). Possible values:
|
no |
| Region ID | Specify the region ID of the asset containing the account to use. |
Only if using multiple regions. |
| Use SSL | When enabled, Tenable uses SSL for secure communication. This is enabled by default. |
no |
|
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL Certificate on the server is signed by a trusted CA. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username to authenticate via SSH to the system. |
yes |
|
Domain |
The domain to which the username belongs. |
no |
|
Thycotic Secret Name |
The value of the secret on the Thycotic server. The secret is labeled Secret Name on the Thycotic server. |
yes |
|
Thycotic Secret Server URL |
The transfer method, target, and target directory for the scanner. You can find this value on the Thycotic server in Admin > Configuration > Application Settings > Secret Server URL. For example, consider the following address:
|
yes |
|
Thycotic Login Name |
The username to authenticate to the Thycotic server. |
yes |
|
Thycotic Password |
The password to authenticate to the Thycotic server. |
yes |
|
Thycotic Organization |
The organization you want to query. You can use this value for cloud instances of Thycotic. |
no |
|
Thycotic Domain |
The domain of the Thycotic server. |
no |
|
Verify SSL Certificate |
Whether you want to verify if the SSL Certificate on the server is signed by a trusted CA. |
no |
| Option | Description | Required |
|---|---|---|
|
Username |
The username to log in to the hosts you want to scan. |
yes |
| Domain | The domain of the username, which is recommended if using domain-linked accounts (managed accounts of a domain that are linked to a managed system). |
no |
|
BeyondTrust host |
The BeyondTrust IP address or DNS address. |
yes |
|
BeyondTrust port |
The port on which BeyondTrust listens. |
yes |
| BeyondTrust API user | The API user provided by BeyondTrust. |
yes |
|
BeyondTrust API key |
The API key provided by BeyondTrust. |
yes |
|
Checkout duration |
The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the Checkout duration to exceed the typical duration of your Tenable Vulnerability Management scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Note: Configure the password change interval in BeyondTrust so that password changes do not disrupt your Tenable Vulnerability Management scans. If BeyondTrust changes a password during a scan, the scan fails. |
yes |
|
Use SSL |
When enabled, Tenable Vulnerability Management uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option. |
no |
|
Verify SSL certificate |
When enabled, Tenable Vulnerability Management validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option. |
no |
These settings apply to all Windows-type credentials in the current scan. You can edit these settings in any instance of the credential type in the current scan; your changes automatically apply to the other credentials of that type in the scan.
| Option | Default | Description |
|---|---|---|
|
Never send credentials in the clear |
Enabled |
By default, for security reasons, this option is enabled. |
|
Do not use NTLMv1 authentication |
Enabled |
If the Do not use NTLMv1 authentication option is disabled, then it is theoretically possible to trick Tenable Vulnerability Management into attempting to log into a Windows server with domain credentials via the NTLM version 1 protocol. This provides the remote attacker with the ability to use a hash obtained from Tenable Vulnerability Management. This hash can be potentially cracked to reveal a username or password. It may also be used to log into other servers directly. Force Tenable Vulnerability Management to use NTLMv2 by enabling the Only use NTLMv2 setting at scan time. This prevents a hostile Windows server from using NTLM and receiving a hash. Because NTLMv1 is an insecure protocol, this option is enabled by default. |
|
Start the Remote Registry service during the scan |
Disabled |
This option tells Tenable Vulnerability Management to start the Remote Registry service on computers being scanned if it is not running. This service must be running in order for Tenable Vulnerability Management to execute some Windows local check plugins. |
|
Enable administrative shares during the scan |
Disabled |
This option allows Tenable Vulnerability Management to access certain registry entries that can be read with administrator privileges. |
| Start the Server service during the scan | Disabled |
When enabled, the scanner temporarily enables the Windows Server service, which allows the computer to share files and other devices on a network. The service is disabled after the scan completes. By default, Windows systems have the Windows Server service enabled, which means you do not need to enable this setting. However, if you disable the Windows Server service in your environment, and want to scan using SMB credentials, you must enable this setting so that the scanner can access files remotely. |
| Option | Description |
|---|---|
| Centrify Host |
(Required) The Centrify IP address or DNS address. Note: If your Centrify installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Centrify Port | (Required) The port on which Centrify listens. By default, Tenable Vulnerability Management uses port 443. |
| API User | (Required) The API user provided by Centrify. |
| API Key | (Required) The API key provided by Centrify. |
| Tenant | (Required) The Centrify tenant associated with the API. By default, Tenable Vulnerability Management uses centrify. |
| Authentication URL | (Required) The URL Tenable Vulnerability Management uses to access Centrify. By default, Tenable Vulnerability Management uses /Security. |
| Password Query URL | (Required) The URL Tenable Vulnerability Management uses to query the passwords in Centrify. By default, Tenable Security Center uses /RedRock. |
| Password Engine URL |
(Required) The URL Tenable Vulnerability Management uses to access the passwords in Centrify. By default, Tenable Vulnerability Management uses /ServerManage. |
| Username | (Required) The username to log in to the hosts you want to scan. |
| Checkout Duration |
(Required) The length of time, in minutes, that you want to keep credentials checked out in Centrify. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans so that password changes do not disrupt your Tenable Vulnerability Management scans. If Centrify changes a password during a scan, the scan fails. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. |
| Use SSL | When enabled, Tenable Vulnerability Management uses SSL through IIS for secure communications. You must configure SSL through IIS in Centrify before enabling this option. |
| Verify SSL Certificate | When enabled, Tenable Vulnerability Management validates the SSL certificate. You must configure SSL through IIS in Centrify before enabling this option. |
| Option | Description |
|---|---|
| Arcon Host |
(Required) The Arcon IP address or DNS address. Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Arcon Port | (Required) The port on which Arcon listens. By default, Tenable Security Center uses port 444. |
| API User | (Required) The API user provided by Arcon. |
| API Key | (Required) The API key provided by Arcon. |
| Authentication URL | (Required) The URL Tenable Security Center uses to access Arcon. |
| Password Engine URL |
(Required) The URL Tenable Security Center uses to access the passwords in Arcon. |
| Username | (Required) The username to log in to the hosts you want to scan. |
| Arcon Target Type | (Optional) The name of the target type. Depending on the Arcon PAM version you are using and the system type the SSH credential has been created with, this is set to linux by default. Refer to the Arcon PAM Specifications document (provided by Arcon) for target type/system type mapping for the correct target type value. |
| Checkout Duration |
(Required) The length of time, in hours, that you want to keep credentials checked out in Arcon. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable Security Center scans. If Arcon changes a password during a scan, the scan fails. |
| Use SSL | When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option. |
| Verify SSL Certificate | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option. |
| Privilege Escalation | The privilege escalation method you want to use to increase users' privileges after initial authentication. Your Privilege Escalation selection determines the specific options you must configure. For more information, see Privilege Escalation. |
Windows Authentication Considerations
Regarding the authentication methods:
- Tenable Vulnerability Management automatically uses SMB signing if the remote Windows server requires it. SMB signing is a cryptographic checksum applied to all SMB traffic to and from a Windows server. Many system administrators enable this feature on their servers to ensure that remote users are 100% authenticated and part of a domain. In addition, make sure you enforce a policy that mandates the use of strong passwords that cannot be easily broken via dictionary attacks from tools like John the Ripper and L0phtCrack. There have been many different types of attacks against Windows security to illicit hashes from computers for re-use in attacking servers. SMB Signing adds a layer of security to prevent these man-in-the-middle attacks.
- The SPNEGO (Simple and Protected Negotiate) protocol provides Single Sign On (SSO) capability from a Windows client to a variety of protected resources via the users’ Windows login credentials. Tenable Vulnerability Management supports use of SPNEGO Scans and Policies: Scans 54 of 151 with either NTLMSSP with LMv2 authentication or Kerberos and RC4 encryption. SPNEGO authentication happens through NTLM or Kerberos authentication; nothing needs to be set in the Tenable Vulnerability Management scan configuration.
- If an extended security scheme (such as Kerberos or SPNEGO) is not supported or fails, Tenable Vulnerability Management attempts to log in via NTLMSSP/LMv2 authentication. If that fails, Tenable Vulnerability Management then attempts to log in using NTLM authentication.
- Tenable Vulnerability Management also supports the use of Kerberos authentication in a Windows domain. To configure this, the IP address of the Kerberos Domain Controller (actually, the IP address of the Windows Active Directory Server) must be provided.
Server Message Block (SMB) is a file-sharing protocol that allows computers to share information across the network. Providing this information to Tenable Vulnerability Management allows it to find local information from a remote Windows host. For example, using credentials enables Tenable Vulnerability Management to determine if important security patches have been applied. It is not necessary to modify other SMB parameters from default settings.
The SMB domain field is optional and Tenable Vulnerability Management is able to log on with domain credentials without this field. The username, password, and optional domain refer to an account that the target machine is aware of. For example, given a username of joesmith and a password of my4x4mpl3, a Windows server first looks for this username in the local system’s list of users, and then determines if it is part of a domain.
Regardless of credentials used, Tenable Vulnerability Management always attempts to log into a Windows server with the following combinations:
- Administrator without a password
- A random username and password to test Guest accounts
- No username or password to test null sessions
The actual domain name is only required if an account name is different on the domain from that on the computer. It is entirely possible to have an Administrator account on a Windows server and within the domain. In this case, to log on to the local server, the username of Administrator is used with the password of that account. To log on to the domain, the Administrator username is also used, but with the domain password and the name of the domain.
When multiple SMB accounts are configured, Tenable Vulnerability Management attempts to log in with the supplied credentials sequentially. Once Tenable Vulnerability Management is able to authenticate with a set of credentials, it checks subsequent credentials supplied, but only uses them if administrative privileges are granted when previous accounts provided user access.
Some versions of Windows allow you to create a new account and designate it as an administrator. These accounts are not always suitable for performing credentialed scans. Tenable recommends that the original administrative account, named Administrator be used for credentialed scanning to ensure full access is permitted. On some versions of Windows, this account may be hidden. To unhide the real administrator account, open a DOS prompt with administrative privileges and run the following command:
C:\> net user administrator /active:yesIf an SMB account is created with limited administrator privileges, Tenable Vulnerability Management can easily and securely scan multiple domains. Tenable recommends that network administrators create specific domain accounts to facilitate testing. Tenable Vulnerability Management includes a variety of security checks for Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 that are more accurate if a domain account is provided. Tenable Vulnerability Management does attempt to try several checks in most cases if no account is provided.
Note: The Windows Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. If the service is not running, reading keys and values from the registry is not possible, even with full credentials. This service must be started for a Tenable Vulnerability Management credentialed scan to audit a system fully using credentials.
For more information, see the Tenable blog post Dynamic Remote Registry Auditing - Now you see it, now you don’t!
Credentialed scans on Windows systems require using a full administrator level account. Several bulletins and software updates by Microsoft have made reading the registry to determine software patch level unreliable without administrator privileges, but not all of them. Tenable Vulnerability Management plugins check that the provided credentials have full administrative access to ensure the plugins execute properly. For example, full administrative access is required to perform direct reading of the file system. This allows Tenable Vulnerability Management to attach to a computer and perform direct file analysis to determine the true patch level of the systems being evaluated.