Credentials

The following methods allow for interaction into the Tenable Security Center Scan Credentials API. These items are typically seen under the Scan Credentials section of Tenable Security Center.

Methods available on sc.credentials:

class CredentialAPI(api: APISession)[source]
create(name, cred_type, auth_type, **kw)[source]

Creates a credential.

credential: create

Parameters:
  • name (str) – The name for the credential.

  • cred_type (str) – The type of credential to store. Valid types are database, snmp, ssh, and windows.

  • auth_type (str) – The type of authentication for the credential. Valid types are beyondtrust, certificate, cyberark``, kerberos, lieberman, lm, ntlm, password, publicKey, thycotic.

  • beyondtrust_api_key (str, optional) – The API key to use for authenticating to Beyondtrust.

  • beyondtrust_duration (int, optional) – The length of time to cache the checked-out credentials from Beyondtrust. This value should be less than the password change interval within Beyondtrust.

  • beyondtrust_host (str, optional) – The host address for the Beyondtrust application.

  • beyondtrust_port (int, optional) – The port number associated with the Beyondtrust application.

  • beyondtrust_use_escalation (bool, optional) – If enabled, informs the scanners to use Beyondtrust for privilege escalation.

  • beyondtrust_use_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.

  • beyondtrust_use_ssl (bool, optional) – Should the scanners communicate to Beyondtrust over SSL for credential retrieval? If left unspecified, the default is set to True.

  • beyondtrust_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Beyondtrust? If left unspecified, the default is False.

  • community_string (str, optional) – The SNMP community string to use for authentication.

  • db_type (str, optional) – The type of database connection that will be performed. Valid types are DB2, Informix/DRDA, MySQL, Oracle, PostgreSQL, SQL Server.

  • description (str, optional) – A description to associate to the credential.

  • domain (str, optional) – The Active Directory domain to use if the user is a member of a domain.

  • escalation_path (str, optional) – The path in which to run the escalation commands.

  • escalation_password (str, optional) – The password to use for the escalation.

  • escalation_su_use (str, optional) – If performing an SU escalation, this is the user to escalate to.

  • escalation_username (str, optional) – The username to escalate to.

  • kdc_ip (str, optional) – The kerberos host supplying the session tickets.

  • kdc_port (int, optional) – The port to use for kerberos connections. If left unspecified the default is 88.

  • kdc_protocol (str, optional) – The protocol to use for kerberos connections. Valid options are tcp and udp. If left unspecified then the default is tcp.

  • kdc_realm (str, optional) – The Kerberos realm to use for authentication.

  • lieberman_host (str, optional) – The address for the Lieberman vault.

  • lieberman_port (int, optional) – The port number where the Lieberman service is listening.

  • lieberman_pam_password (str, optional) – The password to authenticate to the Lieberman RED API.

  • lieberman_pam_user (str, optional) – The username to authenticate to the Lieberman RED API.

  • lieberman_system_name (str, optional) – The name for the credentials in Lieberman.

  • lieberman_use_ssl (bool, optional) – Should the scanners communicate to Lieberman over SSL for credential retrieval? If left unspecified, the default is set to True.

  • lieberman_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Lieberman? If left unspecified, the default is False.

  • password (str, optional) – The password for the credential.

  • port (int, optional) – A valid port number for a database credential.

  • private_key (file, optional) – The fileobject containing the SSH private key.

  • privilege_escalation (str, optional) – The type of privilege escalation to perform once authenticated. Valid values are .k5login, Cisco 'enable', dzdo, none, pbrun, su, su+sudo, sudo. If left unspecified, the default is none.

  • public_key (file, optional) – The fileobject containing the SSH public key or certificate.

  • oracle_auth_type (str, optional) – The type of authentication to use when communicating to an Oracle database server. Supported values are sysdba, sysoper, and normal. If left unspecified, the default option is normal.

  • oracle_service_type (str, optional) – The type of service identifier specified in the sid parameter. Valid values are either sid or service_name. If left unspecified, the default is sid.

  • sid (str, optional) – The service identifier or name for a database credential.

  • sql_server_auth_type (str, optional) – The type of authentication to perform to the SQL Server instance. Valid values are SQL and Windows. The default value if left unspecified is SQL.

  • tags (str, optional) – A tag to associate to the credential.

  • username (str, optional) – The username for the OS credential.

  • thycotic_domain (str, optional) – The domain, if set, within Thycotic.

  • thycotic_organization (str, optional) – The organization to use if using a cloud instance of Thycotic.

  • thycotic_password (str, optional) – The password to use when authenticating to Thycotic.

  • thycotic_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.

  • thycotic_secret_name (str, optional) – The secret name value on the Tycotic server.

  • thycotic_url (str, optional) – The absolute URL path pointing to the Thycotic secret server.

  • thycotic_username (str, optional) – The username to use to authenticate to Thycotic.

  • thycotic_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Thycotic? If left unspecified, the default is False.

  • vault_account_name (str, optional) – The unique name of the credential to retrieve from CyberArk. Generally referred to as the name parameter within CyberArk.

  • vault_address (str, optional) – The domain for the CyberArk account. SSL must be configured through IIS on the CCP before using.

  • vault_app_id (str, optional) – The AppID to use with CyberArk.

  • vault_cyberark_client_cert (file, optional) – The fileobject containing the CyberArk client certificate.

  • vault_cyberark_url (str, optional) – The URL for the CyberArk AIM web service. If left unspecified, the default URL path of /AIMWebservice/v1.1/AIM.asmx will be used..

  • vault_cyberark_private_key (file, optional) – The fileobject containing the CyberArk client private key.

  • vault_cyberark_private_key_passphrase (str, optional) – The passhrase for the private key.

  • vault_folder (str, optional) – The folder to use within CyberArk for credential retrieval.

  • vault_host (str, optional) – The CyberArk Vault host.

  • vault_password (str, optional) – The password to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.

  • vault_policy_id (int, optional) – The CyberArk PolicyID assigned to the credentials to retrieve.

  • vault_port (int, optional) – The port in which the CyberArk Vault resides.

  • vault_safe (str, optional) – The CyberArk safe that contains the credentials to retrieve.

  • vault_use_ssl (bool, optional) – Should the scanners communicate to CyberArk over SSL for credential retrieval? If left unspecified, the default is set to True.

  • vault_username (str, optional) – The username to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.

  • vault_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to the vault? If left unspecified, the default is False.

Returns:

The newly created credential.

Return type:

dict

Examples

Creating a Windows AD credential:

>>> cred = sc.credentials.create(
...     'Example AD User', 'windows', 'ntlm',
...     username='scanneruser',
...     password='sekretpassword',
...     domain='Company.com')

Creating a root user SSH credential:

>>> cred = sc.credentials.create(
...     'Example SSH Cred', 'ssh', 'password',
...     username='root',
...     password='sekretpassword')

Creating a root user SSH cred with a private key:

>>> with open('privatekeyfile', 'rb') as keyfile:
...     cred = sc.credentials.create(
...         'Example SSH Keys', 'ssh', 'publickey',
...         username='root',
...         private_key=keyfile)

Creating a normal user SSH cred with sudo for privilege escalation:

>>> cred = sc.credentials.create(
...     'Example SSH Sudo', 'ssh', 'password',
...     username='user',
...     password='sekretpassword',
...     privilege_escalation='sudo',
...     escalation_password='sekretpassword')

Creating a SQL Server cred set:

>>> cred = sc.credentials.create(
...     'Example SQL Server', 'database', 'SQL Server',
...     username='sa',
...     password='sekretpassword',
...     sql_server_auth_type='SQL',
...     sid='database_name')
delete(id)[source]

Removes a credential.

credential: delete

Parameters:

id (int) – The numeric identifier for the credential to remove.

Returns:

An empty response.

Return type:

str

Examples

>>> sc.credentials.delete(1)
details(id, fields=None)[source]

Returns the details for a specific credential.

credential: details

Parameters:
  • id (int) – The identifier for the credential.

  • fields (list, optional) – A list of attributes to return.

Returns:

The credential resource record.

Return type:

dict

Examples

>>> cred = sc.credentials.details(1)
>>> pprint(cred)
edit(id, **kw)[source]

Edits a credential.

credential: edit

Parameters:
  • auth_type (str, optional) – The type of authentication for the credential. Valid types are beyondtrust, certificate, cyberark``, kerberos, lieberman, lm, ntlm, password, publickey, thycotic.

  • beyondtrust_api_key (str, optional) – The API key to use for authenticating to Beyondtrust.

  • beyondtrust_duration (int, optional) – The length of time to cache the checked-out credentials from Beyondtrust. This value should be less than the password change interval within Beyondtrust.

  • beyondtrust_host (str, optional) – The host address for the Beyondtrust application.

  • beyondtrust_port (int, optional) – The port number associated with the Beyondtrust application.

  • beyondtrust_use_escalation (bool, optional) – If enabled, informs the scanners to use Beyondtrust for privilege escalation.

  • beyondtrust_use_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.

  • beyondtrust_use_ssl (bool, optional) – Should the scanners communicate to Beyondtrust over SSL for credential retrieval? If left unspecified, the default is set to True.

  • beyondtrust_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Beyondtrust? If left unspecified, the default is False.

  • community_string (str, optional) – The SNMP community string to use for authentication.

  • db_type (str, optional) – The type of database connection that will be performed. Valid types are DB2, Informix/DRDA, MySQL, Oracle, PostgreSQL, SQL Server.

  • description (str, optional) – A description to associate to the credential.

  • domain (str, optional) – The Active Directory domain to use if the user is a member of a domain.

  • escalation_path (str, optional) – The path in which to run the escalation commands.

  • escalation_password (str, optional) – The password to use for the escalation.

  • escalation_su_use (str, optional) – If performing an SU escalation, this is the user to escalate to.

  • escalation_username (str, optional) – The username to escalate to.

  • kdc_ip (str, optional) – The kerberos host supplying the session tickets.

  • kdc_port (int, optional) – The port to use for kerberos connections. If left unspecified the default is 88.

  • kdc_protocol (str, optional) – The protocol to use for kerberos connections. Valid options are tcp and udp. If left unspecified then the default is tcp.

  • kdc_realm (str, optional) – The Kerberos realm to use for authentication.

  • lieberman_host (str, optional) – The address for the Lieberman vault.

  • lieberman_port (int, optional) – The port number where the Lieberman service is listening.

  • lieberman_pam_password (str, optional) – The password to authenticate to the Lieberman RED API.

  • lieberman_pam_user (str, optional) – The username to authenticate to the Lieberman RED API.

  • lieberman_system_name (str, optional) – The name for the credentials in Lieberman.

  • lieberman_use_ssl (bool, optional) – Should the scanners communicate to Lieberman over SSL for credential retrieval? If left unspecified, the default is set to True.

  • lieberman_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Lieberman? If left unspecified, the default is False.

  • name (str, optional) – The name for the credential.

  • password (str, optional) – The password for the credential.

  • port (int, optional) – A valid port number for a database credential.

  • private_key (file, optional) – The fileobject containing the SSH private key.

  • privilege_escalation (str, optional) – The type of privilege escalation to perform once authenticated. Valid values are .k5login, Cisco 'enable', dzdo, none, pbrun, su, su+sudo, sudo. If left unspecified, the default is none.

  • public_key (file, optional) – The fileobject containing the SSH public key or certificate.

  • oracle_auth_type (str, optional) – The type of authentication to use when communicating to an Oracle database server. Supported values are sysdba, sysoper, and normal. If left unspecified, the default option is normal.

  • oracle_service_type (str, optional) – The type of service identifier specified in the sid parameter. Valid values are either sid or service_name. If left unspecified, the default is sid.

  • sid (str, optional) – The service identifier or name for a database credential.

  • sql_server_auth_type (str, optional) – The type of authentication to perform to the SQL Server instance. Valid values are SQL and Windows. The default value if left unspecified is SQL.

  • tags (str, optional) – A tag to associate to the credential.

  • type (str. optional) – The type of credential to store. Valid types are database, snmp, ssh, and windows.

  • username (str, optional) – The username for the OS credential.

  • thycotic_domain (str, optional) – The domain, if set, within Thycotic.

  • thycotic_organization (str, optional) – The organization to use if using a cloud instance of Thycotic.

  • thycotic_password (str, optional) – The password to use when authenticating to Thycotic.

  • thycotic_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.

  • thycotic_secret_name (str, optional) – The secret name value on the Tycotic server.

  • thycotic_url (str, optional) – The absolute URL path pointing to the Thycotic secret server.

  • thycotic_username (str, optional) – The username to use to authenticate to Thycotic.

  • thycotic_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Thycotic? If left unspecified, the default is False.

  • vault_account_name (str, optional) – The unique name of the credential to retrieve from CyberArk. Generally referred to as the name parameter within CyberArk.

  • vault_address (str, optional) – The domain for the CyberArk account. SSL must be configured through IIS on the CCP before using.

  • vault_app_id (str, optional) – The AppID to use with CyberArk.

  • vault_cyberark_client_cert (file, optional) – The fileobject containing the CyberArk client certificate.

  • vault_cyberark_url (str, optional) – The URL for the CyberArk AIM web service. If left unspecified, the default URL path of /AIMWebservice/v1.1/AIM.asmx will be used..

  • vault_cyberark_private_key (file, optional) – The fileobject containing the CyberArk client private key.

  • vault_cyberark_private_key_passphrase (str, optional) – The passhrase for the private key.

  • vault_folder (str, optional) – The folder to use within CyberArk for credential retrieval.

  • vault_host (str, optional) – The CyberArk Vault host.

  • vault_password (str, optional) – The password to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.

  • vault_policy_id (int, optional) – The CyberArk PolicyID assigned to the credentials to retrieve.

  • vault_port (int, optional) – The port in which the CyberArk Vault resides.

  • vault_safe (str, optional) – The CyberArk safe that contains the credentials to retrieve.

  • vault_use_ssl (bool, optional) – Should the scanners communicate to CyberArk over SSL for credential retrieval? If left unspecified, the default is set to True.

  • vault_username (str, optional) – The username to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.

  • vault_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to the vault? If left unspecified, the default is False.

Returns:

The newly updated credential.

Return type:

dict

Examples

>>> cred = sc.credentials.edit()
list(fields=None)[source]

Retrieves the list of credential definitions.

Parameters:

fields (list, optional) – A list of attributes to return for each credential.

Returns:

A list of credential resources.

Return type:

list

Examples

>>> for cred in sc.credentials.list():
...     pprint(cred)
share(id, *groups)[source]

Shares the specified credential to another user group.

credential: share

Parameters:
  • id (int) – The numeric id for the credential.

  • *groups (int) – The numeric id of the group(s) to share to.

Returns:

The updated credential resource.

Return type:

dict

Examples

>>> sc.credentials.share(1, group_1, group_2)
tags()[source]

Retrieves the list of unique tags associated to credentials.

credential: tags

Returns:

List of tags

Return type:

list

Examples

>>> tags = sc.credentials.tags()