You can use credentials to grant a Tenable.io scanner local access to scan a target system without requiring an agent. Credentialed scans can perform a wider variety of checks than non-credentialed scans, which can result in more accurate scan results. This approach facilitates scanning of a very large network to determine local exposures or compliance violations.
Credentialed scans can perform any operation that a local user can perform. The level of scanning depends on the privileges granted to the user account. The more privileges the scanner has via the login account (for example, root or administrator access), the more thorough the scan results.
In Tenable.io, you can create credentials for use in scans in the following ways:
||User Permissions in Basic settings in the scan|
||User Permissions in Basic settings in the template|
||Configure User Permissions for a Credential|
The settings you configure for a credential vary based on the credential type. Credential types include:
- Cloud Services
- Mobile Device Management
- Patch Management
- Plaintext authentication
For more information, see:
- Add a Credential to a Scan
- Edit a Credential in a Scan
- Convert a Scan-specific Credential to a Managed Credential
- Add a Credential to a User-defined Template
- Edit a Credential in a User-defined Template
Note: Tenable.io opens several concurrent authenticated connections. Ensure that the host being audited does not have a strict account lockout policy based on concurrent sessions.
Note: By default, when creating credentialed scans or user-defined templates, hosts are identified and marked with a Tenable Asset Identifier (TAI). This globally unique identifier is written to the host's registry or file system, and subsequent scans can retrieve and use the TAI.
This option is enabled (by default) or disabled in the Advanced -> General Settings of a scan configuration or template: Create unique identifier on hosts scanned using credentials.