How-to Guide: Tenable.io™ for BeyondTrust Last Revised: April 03, 2018
Table of Contents Introduction
3
Integrations
4
Windows Integration
5
SSH Integration
10
API Configuration
17
API Keys Setup
18
Enable API Access
20
Additional Information
22
Elevation
23
Customized Report
24
About Tenable
25
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Introduction This document describes how to configure Tenable.io for integration with the BeyondTrust PowerBroker Password Safe. Please email comments or suggestions to
[email protected]. Security administrators know from experience that managing credentials and privileges for network vulnerability assessments can be cumbersome. By integrating the BeyondTrust PowerBroker Password Safe with Tenable’s solutions, customers now have even more choice and flexibility for reducing the credentials headache. Benefits of integrating Tenable.io with the BeyondTrust PowerBroker Password Safe include: l
l
l
l
Credentials stored in the BeyondTrust PowerBroker Password Safe do not need to be managed and updated directly within Tenable.io. Reduce the time and effort needed to document where credentials are stored within the entire organizational environment. Automatically enforce security policies within specific departments or for specific business unit requirements, which simplifies compliance. Reduce the risk of unsecured privileged accounts and credentials across the enterprise.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Integrations The BeyondTrust Powerbroker Password Safe integration can be configured using either Windows or SSH. Click the corresponding link to view the configuration steps.
Windows Integration SSH Integration
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Windows Integration Use the following steps to configure Windows credentialed network scans using BeyondTrust's Powerbroker Password Safe solution.
Steps 1. Log in to Tenable.io and click Scans and then + New Scan to configure Tenable.io for credentialed scans of Windows systems using the BeyondTrust PowerBroker Password Safe.
2. Select a Scan Template for the scan type required for your scan. For this example, the Advanced Network Scan template will be used.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
3. To configure a credentialed scan for Windows systems using BeyondTrust’s password management solution, enter a descriptive Name and enter the IP address(es) or hostname(s) of the scan Targets .
4. Once the Name and Targets are configured, click Credentials and then select Windows from
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
the left-hand menu.
5. Click the Authentication method drop-down and select BeyondTrust.
6. Configure each field for Windows authentication. Refer to the table below for a description of
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
each field. Once the Windows credentials are configured, click Save to finalize the changes.
The table below contains a description of each option:
Option
Description
Username
(Required) The username to log in to the host being scanned.
Domain
The domain associated with the username, if applicable.
BeyondTrust host
(Required) The BeyondTrust IP/DNS address.
BeyondTrust port
(Required) The port on which BeyondTrust listens.
BeyondTrust API key
(Required) The API key provided by BeyondTrust.
Checkout duration
(Required) Specifies how long to keep the credentials “checked out” in BeyondTrust.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Note: BeyondTrust can change the password once it has checked back in. Therefore, the duration should be at least as long as a typical scan takes. Subsequent scans will fail if the password is still checked out when the next scan starts.
Use SSL
When enabled, Tenable.io uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option.
Verify SSL certificate
When enabled, Tenable.io validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option.
7. Once the options to reach the BeyondTrust Powerbroker Password Safe are set, click Save. 8. To verify the integration is working, click the Launch button to initiate an on-demand scan.
9. Once the scan has completed, select the completed scan and look for the corresponding message - Microsoft Windows SMB Log In Possible: 10394. This validates that authentication was successful.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
SSH Integration Use the following steps to configure SSH credentialed network scans using BeyondTrust's Powerbroker Password Safe solution.
Steps 1. Log in to Tenable.io and click Scans and then + New Scan to configure Tenable.io for credentialed scans of Windows systems using the BeyondTrust PowerBroker Password Safe.
2. Select a Scan Template for the scan type required for your scan. For this example, the Advanced Network Scan template will be used.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
3. To configure a credentialed scan for Windows systems using BeyondTrust’s password management solution, enter a descriptive Name and enter the IP address(es) or hostname(s) of the scan Targets .
4. Once the Name and Targets are configured, click Credentials and then select SSH from the
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
left-hand menu.
5. Click the Authentication method drop-down and select BeyondTrust.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
6. Configure each field for Windows authentication. Refer to the table below for a description of each field. Once the Windows credentials are configured, click Save to finalize the changes.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
The table below contains a description of each option:
Option
Description
Username
(Required)The username to log in to the host being scanned.
BeyondTrust host
(Required) The BeyondTrust IP/DNS address.
BeyondTrust port
(Required) The port on which BeyondTrust listens.
BeyondTrust API key
(Required) The API key provided by BeyondTrust.
Checkout duration
(Required) Specifies how long to keep the credentials “checked out” in BeyondTrust.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Note: BeyondTrust can change the password once it has checked back in. The duration should be at least as long as a typical scan takes. Subsequent scans will fail if the password is still checked out when the next scan starts.
Use SSL
When enabled, Tenable.io uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option.
Verify SSL certificate
When enabled, Tenable.io validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option.
Use private key
When enabled, Tenable.io uses private key-based authentication for SSH connections instead of password authentication. If it fails, the password will be requested.
Use privilege escalation
When enabled, BeyondTrust uses the configured privilege escalation command. If it returns something, it will use it for the scan.
7. Once the options to reach the BeyondTrust Powerbroker Password Safe are set, click Save. 8. To verify the integration is working, click the Launch button to initiate an on-demand scan.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
9. Once the scan has completed, select the completed scan and look for the corresponding message - OS Identification and Installed Software Enumeration over SSH: 97993. This validates that authentication was successful.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
API Configuration API Keys Setup Enable API Access
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
API Keys Setup Steps 1. Log in to BeyondInsight. 2. Click Configuration .
3. Click API Registration .
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
4. Configure the source addresses that are white listed requests. 5. Click Save. Once saved, the API Key is available for future requests.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Enable API Access Each Managed Account that you use for scanning must have API Access enabled.
Steps 1. Log in to BeyondInsight. 2. Go to Managed Accounts .
3. Click Edit Account.
4. Click the Enable for API Access option.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
5. Click Save.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Additional Information Elevation Customized Report About Tenable
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Elevation Elevation is used in BeyondInsight to handle privilege escalation for SSH accounts when performing scans. This option is used because some rules won't allow server login using root. The Elevation can be enforced on BeyondInsight at system level or account level.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
Customized Report You can build a customized report in BeyondInsight to import hosts from a CSV to scan in Tenable.io. The customized report defines the information needed for Tenable.io uploads.
1. To build the report: 2. Log in to BeyondInsight . 3. Go to - Assets > Scan > Customize Report. 4. Select the Parameters . 5. Click Run Report. Note: This report can be run on any of your previous discovery scans, exported as an CSV, and uploaded as scan targets in Tenable.io.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
About Tenable Tenable transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable's customers range from Fortune Global 500 companies, to the U.S. Department of Defense, to mid-sized and small businesses in all sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with Tenable, the creators of Tenable.io and leaders in continuous monitoring, by visiting ten-
able.com.
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.