Credentials

The following methods allow for interaction into the Tenable.sc Scan Credentials API. These items are typically seen under the Scan Credentials section of Tenable.sc.

Methods available on sc.credentials:

class CredentialAPI(api: restfly.session.APISession)

create(name, cred_type, auth_type, **kw)

Creates a credential.

credential: create

Parameters

• name (str) – The name for the credential.

• cred_type (str) – The type of credential to store. Valid types are database, snmp, ssh, and windows.

• auth_type (str) – The type of authentication for the credential. Valid types are beyondtrust, certificate, cyberark``, kerberos, lieberman, lm, ntlm, password, publicKey, thycotic.

• beyondtrust_api_key (str, optional) – The API key to use for authenticating to Beyondtrust.

• beyondtrust_duration (int, optional) – The length of time to cache the checked-out credentials from Beyondtrust. This value should be less than the password change interval within Beyondtrust.

• beyondtrust_host (str, optional) – The host address for the Beyondtrust application.

• beyondtrust_port (int, optional) – The port number associated with the Beyondtrust application.

• beyondtrust_use_escalation (bool, optional) – If enabled, informs the scanners to use Beyondtrust for privilege escalation.

• beyondtrust_use_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.

• beyondtrust_use_ssl (bool, optional) – Should the scanners communicate to Beyondtrust over SSL for credential retrieval? If left unspecified, the default is set to True.

• beyondtrust_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Beyondtrust? If left unspecified, the default is False.

• community_string (str, optional) – The SNMP community string to use for authentication.

• db_type (str, optional) – The type of database connection that will be performed. Valid types are DB2, Informix/DRDA, MySQL, Oracle, PostgreSQL, SQL Server.

• description (str, optional) – A description to associate to the credential.

• domain (str, optional) – The Active Directory domain to use if the user is a member of a domain.

• escalation_path (str, optional) – The path in which to run the escalation commands.

• escalation_password (str, optional) – The password to use for the escalation.

• escalation_su_use (str, optional) – If performing an SU escalation, this is the user to escalate to.

• escalation_username (str, optional) – The username to escalate to.

• kdc_ip (str, optional) – The kerberos host supplying the session tickets.

• kdc_port (int, optional) – The port to use for kerberos connections. If left unspecified the default is 88.

• kdc_protocol (str, optional) – The protocol to use for kerberos connections. Valid options are tcp and udp. If left unspecified then the default is tcp.

• kdc_realm (str, optional) – The Kerberos realm to use for authentication.

• lieberman_host (str, optional) – The address for the Lieberman vault.

• lieberman_port (int, optional) – The port number where the Lieberman service is listening.

• lieberman_pam_password (str, optional) – The password to authenticate to the Lieberman RED API.

• lieberman_pam_user (str, optional) – The username to authenticate to the Lieberman RED API.

• lieberman_system_name (str, optional) – The name for the credentials in Lieberman.

• lieberman_use_ssl (bool, optional) – Should the scanners communicate to Lieberman over SSL for credential retrieval? If left unspecified, the default is set to True.

• lieberman_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Lieberman? If left unspecified, the default is False.

• password (str, optional) – The password for the credential.

• port (int, optional) – A valid port number for a database credential.

• private_key (file, optional) – The fileobject containing the SSH private key.

• privilege_escalation (str, optional) – The type of privilege escalation to perform once authenticated. Valid values are .k5login, Cisco 'enable', dzdo, none, pbrun, su, su+sudo, sudo. If left unspecified, the default is none.

• public_key (file, optional) – The fileobject containing the SSH public key or certificate.

• oracle_auth_type (str, optional) – The type of authentication to use when communicating to an Oracle database server. Supported values are sysdba, sysoper, and normal. If left unspecified, the default option is normal.

• oracle_service_type (str, optional) – The type of service identifier specified in the sid parameter. Valid values are either sid or service_name. If left unspecified, the default is sid.

• sid (str, optional) – The service identifier or name for a database credential.

• sql_server_auth_type (str, optional) – The type of authentication to perform to the SQL Server instance. Valid values are SQL and Windows. The default value if left unspecified is SQL.

• tags (str, optional) – A tag to associate to the credential.

• username (str, optional) – The username for the OS credential.

• thycotic_domain (str, optional) – The domain, if set, within Thycotic.

• thycotic_organization (str, optional) – The organization to use if using a cloud instance of Thycotic.

• thycotic_password (str, optional) – The password to use when authenticating to Thycotic.

• thycotic_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.

• thycotic_secret_name (str, optional) – The secret name value on the Tycotic server.

• thycotic_url (str, optional) – The absolute URL path pointing to the Thycotic secret server.

• thycotic_username (str, optional) – The username to use to authenticate to Thycotic.

• thycotic_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Thycotic? If left unspecified, the default is False.

• vault_account_name (str, optional) – The unique name of the credential to retrieve from CyberArk. Generally referred to as the name parameter within CyberArk.

• vault_address (str, optional) – The domain for the CyberArk account. SSL must be configured through IIS on the CCP before using.

• vault_app_id (str, optional) – The AppID to use with CyberArk.

• vault_cyberark_client_cert (file, optional) – The fileobject containing the CyberArk client certificate.

• vault_cyberark_url (str, optional) – The URL for the CyberArk AIM web service. If left unspecified, the default URL path of /AIMWebservice/v1.1/AIM.asmx will be used..

• vault_cyberark_private_key (file, optional) – The fileobject containing the CyberArk client private key.

• vault_cyberark_private_key_passphrase (str, optional) – The passhrase for the private key.

• vault_folder (str, optional) – The folder to use within CyberArk for credential retrieval.

• vault_host (str, optional) – The CyberArk Vault host.

• vault_password (str, optional) – The password to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.

• vault_policy_id (int, optional) – The CyberArk PolicyID assigned to the credentials to retrieve.

• vault_port (int, optional) – The port in which the CyberArk Vault resides.

• vault_safe (str, optional) – The CyberArk safe that contains the credentials to retrieve.

• vault_use_ssl (bool, optional) – Should the scanners communicate to CyberArk over SSL for credential retrieval? If left unspecified, the default is set to True.

• vault_username (str, optional) – The username to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.

• vault_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to the vault? If left unspecified, the default is False.

Returns

The newly created credential.

Return type

dict

Examples

Creating a Windows AD credential:

>>> cred = sc.credentials.create(
...     'Example AD User', 'windows', 'ntlm',
...     username='scanneruser',
...     password='sekretpassword',
...     domain='Company.com')

Creating a root user SSH credential:

>>> cred = sc.credentials.create(
...     'Example SSH Cred', 'ssh', 'password',
...     username='root',
...     password='sekretpassword')

Creating a root user SSH cred with a private key:

>>> with open('privatekeyfile', 'rb') as keyfile:
...     cred = sc.credentials.create(
...         'Example SSH Keys', 'ssh', 'publickey',
...         username='root',
...         private_key=keyfile)

Creating a normal user SSH cred with sudo for privilege escalation:

>>> cred = sc.credentials.create(
...     'Example SSH Sudo', 'ssh', 'password',
...     username='user',
...     password='sekretpassword',
...     privilege_escalation='sudo',
...     escalation_password='sekretpassword')

Creating a SQL Server cred set:

>>> cred = sc.credentials.create(
...     'Example SQL Server', 'database', 'SQL Server',
...     username='sa',
...     password='sekretpassword',
...     sql_server_auth_type='SQL',
...     sid='database_name')

delete(id)

Removes a credential.

credential: delete

Parameters

id (int) – The numeric identifier for the credential to remove.

Returns

An empty response.

Return type

str

Examples

>>> sc.credentials.delete(1)

details(id, fields=None)

Returns the details for a specific credential.

credential: details

Parameters

• id (int) – The identifier for the credential.

• fields (list, optional) – A list of attributes to return.

Returns

The credential resource record.

Return type

dict

Examples

>>> cred = sc.credentials.details(1)
>>> pprint(cred)

edit(id, **kw)

Edits a credential.

credential: edit

Parameters

• auth_type (str, optional) – The type of authentication for the credential. Valid types are beyondtrust, certificate, cyberark``, kerberos, lieberman, lm, ntlm, password, publickey, thycotic.

• beyondtrust_api_key (str, optional) – The API key to use for authenticating to Beyondtrust.

• beyondtrust_duration (int, optional) – The length of time to cache the checked-out credentials from Beyondtrust. This value should be less than the password change interval within Beyondtrust.

• beyondtrust_host (str, optional) – The host address for the Beyondtrust application.

• beyondtrust_port (int, optional) – The port number associated with the Beyondtrust application.

• beyondtrust_use_escalation (bool, optional) – If enabled, informs the scanners to use Beyondtrust for privilege escalation.

• beyondtrust_use_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.

• beyondtrust_use_ssl (bool, optional) – Should the scanners communicate to Beyondtrust over SSL for credential retrieval? If left unspecified, the default is set to True.

• beyondtrust_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Beyondtrust? If left unspecified, the default is False.

• community_string (str, optional) – The SNMP community string to use for authentication.

• db_type (str, optional) – The type of database connection that will be performed. Valid types are DB2, Informix/DRDA, MySQL, Oracle, PostgreSQL, SQL Server.

• description (str, optional) – A description to associate to the credential.

• domain (str, optional) – The Active Directory domain to use if the user is a member of a domain.

• escalation_path (str, optional) – The path in which to run the escalation commands.

• escalation_password (str, optional) – The password to use for the escalation.

• escalation_su_use (str, optional) – If performing an SU escalation, this is the user to escalate to.

• escalation_username (str, optional) – The username to escalate to.

• kdc_ip (str, optional) – The kerberos host supplying the session tickets.

• kdc_port (int, optional) – The port to use for kerberos connections. If left unspecified the default is 88.

• kdc_protocol (str, optional) – The protocol to use for kerberos connections. Valid options are tcp and udp. If left unspecified then the default is tcp.

• kdc_realm (str, optional) – The Kerberos realm to use for authentication.

• lieberman_host (str, optional) – The address for the Lieberman vault.

• lieberman_port (int, optional) – The port number where the Lieberman service is listening.

• lieberman_pam_password (str, optional) – The password to authenticate to the Lieberman RED API.

• lieberman_pam_user (str, optional) – The username to authenticate to the Lieberman RED API.

• lieberman_system_name (str, optional) – The name for the credentials in Lieberman.

• lieberman_use_ssl (bool, optional) – Should the scanners communicate to Lieberman over SSL for credential retrieval? If left unspecified, the default is set to True.

• lieberman_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Lieberman? If left unspecified, the default is False.

• name (str, optional) – The name for the credential.

• password (str, optional) – The password for the credential.

• port (int, optional) – A valid port number for a database credential.

• private_key (file, optional) – The fileobject containing the SSH private key.

• privilege_escalation (str, optional) – The type of privilege escalation to perform once authenticated. Valid values are .k5login, Cisco 'enable', dzdo, none, pbrun, su, su+sudo, sudo. If left unspecified, the default is none.

• public_key (file, optional) – The fileobject containing the SSH public key or certificate.

• oracle_auth_type (str, optional) – The type of authentication to use when communicating to an Oracle database server. Supported values are sysdba, sysoper, and normal. If left unspecified, the default option is normal.

• oracle_service_type (str, optional) – The type of service identifier specified in the sid parameter. Valid values are either sid or service_name. If left unspecified, the default is sid.

• sid (str, optional) – The service identifier or name for a database credential.

• sql_server_auth_type (str, optional) – The type of authentication to perform to the SQL Server instance. Valid values are SQL and Windows. The default value if left unspecified is SQL.

• tags (str, optional) – A tag to associate to the credential.

• type (str. optional) – The type of credential to store. Valid types are database, snmp, ssh, and windows.

• username (str, optional) – The username for the OS credential.

• thycotic_domain (str, optional) – The domain, if set, within Thycotic.

• thycotic_organization (str, optional) – The organization to use if using a cloud instance of Thycotic.

• thycotic_password (str, optional) – The password to use when authenticating to Thycotic.

• thycotic_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.

• thycotic_secret_name (str, optional) – The secret name value on the Tycotic server.

• thycotic_url (str, optional) – The absolute URL path pointing to the Thycotic secret server.

• thycotic_username (str, optional) – The username to use to authenticate to Thycotic.

• thycotic_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Thycotic? If left unspecified, the default is False.

• vault_account_name (str, optional) – The unique name of the credential to retrieve from CyberArk. Generally referred to as the name parameter within CyberArk.

• vault_address (str, optional) – The domain for the CyberArk account. SSL must be configured through IIS on the CCP before using.

• vault_app_id (str, optional) – The AppID to use with CyberArk.

• vault_cyberark_client_cert (file, optional) – The fileobject containing the CyberArk client certificate.

• vault_cyberark_url (str, optional) – The URL for the CyberArk AIM web service. If left unspecified, the default URL path of /AIMWebservice/v1.1/AIM.asmx will be used..

• vault_cyberark_private_key (file, optional) – The fileobject containing the CyberArk client private key.

• vault_cyberark_private_key_passphrase (str, optional) – The passhrase for the private key.

• vault_folder (str, optional) – The folder to use within CyberArk for credential retrieval.

• vault_host (str, optional) – The CyberArk Vault host.

• vault_password (str, optional) – The password to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.

• vault_policy_id (int, optional) – The CyberArk PolicyID assigned to the credentials to retrieve.

• vault_port (int, optional) – The port in which the CyberArk Vault resides.

• vault_safe (str, optional) – The CyberArk safe that contains the credentials to retrieve.

• vault_use_ssl (bool, optional) – Should the scanners communicate to CyberArk over SSL for credential retrieval? If left unspecified, the default is set to True.

• vault_username (str, optional) – The username to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.

• vault_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to the vault? If left unspecified, the default is False.

Returns

The newly updated credential.

Return type

dict

Examples

>>> cred = sc.credentials.edit()

list(fields=None)

Retrieves the list of credential definitions.

• credential: list

Parameters

fields (list, optional) – A list of attributes to return for each credential.

Returns

A list of credential resources.

Return type

list

Examples

>>> for cred in sc.credentials.list():
...     pprint(cred)

share(id, *groups)

Shares the specified credential to another user group.

credential: share

Parameters

• id (int) – The numeric id for the credential.

• *groups (int) – The numeric id of the group(s) to share to.

Returns

The updated credential resource.

Return type

dict

Examples

>>> sc.credentials.share(1, group_1, group_2)

tags()

Retrieves the list of unique tags associated to credentials.

credential: tags

Returns

List of tags

Return type

list

Examples

>>> tags = sc.credentials.tags()