Credentials¶
The following methods allow for interaction into the Tenable Security Center Scan Credentials API. These items are typically seen under the Scan Credentials section of Tenable Security Center.
Methods available on sc.credentials
:
- class CredentialAPI(api: APISession)[source]¶
- create(name, cred_type, auth_type, **kw)[source]¶
Creates a credential.
- Parameters:
name (str) – The name for the credential.
cred_type (str) – The type of credential to store. Valid types are
database
,snmp
,ssh
, andwindows
.auth_type (str) – The type of authentication for the credential. Valid types are
beyondtrust
,certificate
, cyberark``,kerberos
,lieberman
,lm
,ntlm
,password
,publicKey
,thycotic
.beyondtrust_api_key (str, optional) – The API key to use for authenticating to Beyondtrust.
beyondtrust_duration (int, optional) – The length of time to cache the checked-out credentials from Beyondtrust. This value should be less than the password change interval within Beyondtrust.
beyondtrust_host (str, optional) – The host address for the Beyondtrust application.
beyondtrust_port (int, optional) – The port number associated with the Beyondtrust application.
beyondtrust_use_escalation (bool, optional) – If enabled, informs the scanners to use Beyondtrust for privilege escalation.
beyondtrust_use_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.
beyondtrust_use_ssl (bool, optional) – Should the scanners communicate to Beyondtrust over SSL for credential retrieval? If left unspecified, the default is set to
True
.beyondtrust_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Beyondtrust? If left unspecified, the default is
False
.community_string (str, optional) – The SNMP community string to use for authentication.
db_type (str, optional) – The type of database connection that will be performed. Valid types are
DB2
,Informix/DRDA
,MySQL
,Oracle
,PostgreSQL
,SQL Server
.description (str, optional) – A description to associate to the credential.
domain (str, optional) – The Active Directory domain to use if the user is a member of a domain.
escalation_path (str, optional) – The path in which to run the escalation commands.
escalation_password (str, optional) – The password to use for the escalation.
escalation_su_use (str, optional) – If performing an SU escalation, this is the user to escalate to.
escalation_username (str, optional) – The username to escalate to.
kdc_ip (str, optional) – The kerberos host supplying the session tickets.
kdc_port (int, optional) – The port to use for kerberos connections. If left unspecified the default is
88
.kdc_protocol (str, optional) – The protocol to use for kerberos connections. Valid options are
tcp
andudp
. If left unspecified then the default istcp
.kdc_realm (str, optional) – The Kerberos realm to use for authentication.
lieberman_host (str, optional) – The address for the Lieberman vault.
lieberman_port (int, optional) – The port number where the Lieberman service is listening.
lieberman_pam_password (str, optional) – The password to authenticate to the Lieberman RED API.
lieberman_pam_user (str, optional) – The username to authenticate to the Lieberman RED API.
lieberman_system_name (str, optional) – The name for the credentials in Lieberman.
lieberman_use_ssl (bool, optional) – Should the scanners communicate to Lieberman over SSL for credential retrieval? If left unspecified, the default is set to
True
.lieberman_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Lieberman? If left unspecified, the default is
False
.password (str, optional) – The password for the credential.
port (int, optional) – A valid port number for a database credential.
private_key (file, optional) – The fileobject containing the SSH private key.
privilege_escalation (str, optional) – The type of privilege escalation to perform once authenticated. Valid values are
.k5login
,Cisco 'enable'
,dzdo
,none
,pbrun
,su
,su+sudo
,sudo
. If left unspecified, the default isnone
.public_key (file, optional) – The fileobject containing the SSH public key or certificate.
oracle_auth_type (str, optional) – The type of authentication to use when communicating to an Oracle database server. Supported values are
sysdba
,sysoper
, andnormal
. If left unspecified, the default option isnormal
.oracle_service_type (str, optional) – The type of service identifier specified in the
sid
parameter. Valid values are eithersid
orservice_name
. If left unspecified, the default issid
.sid (str, optional) – The service identifier or name for a database credential.
sql_server_auth_type (str, optional) – The type of authentication to perform to the SQL Server instance. Valid values are
SQL
andWindows
. The default value if left unspecified isSQL
.tags (str, optional) – A tag to associate to the credential.
username (str, optional) – The username for the OS credential.
thycotic_domain (str, optional) – The domain, if set, within Thycotic.
thycotic_organization (str, optional) – The organization to use if using a cloud instance of Thycotic.
thycotic_password (str, optional) – The password to use when authenticating to Thycotic.
thycotic_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.
thycotic_secret_name (str, optional) – The secret name value on the Tycotic server.
thycotic_url (str, optional) – The absolute URL path pointing to the Thycotic secret server.
thycotic_username (str, optional) – The username to use to authenticate to Thycotic.
thycotic_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Thycotic? If left unspecified, the default is
False
.vault_account_name (str, optional) – The unique name of the credential to retrieve from CyberArk. Generally referred to as the name parameter within CyberArk.
vault_address (str, optional) – The domain for the CyberArk account. SSL must be configured through IIS on the CCP before using.
vault_app_id (str, optional) – The AppID to use with CyberArk.
vault_cyberark_client_cert (file, optional) – The fileobject containing the CyberArk client certificate.
vault_cyberark_url (str, optional) – The URL for the CyberArk AIM web service. If left unspecified, the default URL path of
/AIMWebservice/v1.1/AIM.asmx
will be used..vault_cyberark_private_key (file, optional) – The fileobject containing the CyberArk client private key.
vault_cyberark_private_key_passphrase (str, optional) – The passhrase for the private key.
vault_folder (str, optional) – The folder to use within CyberArk for credential retrieval.
vault_host (str, optional) – The CyberArk Vault host.
vault_password (str, optional) – The password to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.
vault_policy_id (int, optional) – The CyberArk PolicyID assigned to the credentials to retrieve.
vault_port (int, optional) – The port in which the CyberArk Vault resides.
vault_safe (str, optional) – The CyberArk safe that contains the credentials to retrieve.
vault_use_ssl (bool, optional) – Should the scanners communicate to CyberArk over SSL for credential retrieval? If left unspecified, the default is set to
True
.vault_username (str, optional) – The username to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.
vault_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to the vault? If left unspecified, the default is
False
.
- Returns:
The newly created credential.
- Return type:
Examples
Creating a Windows AD credential:
>>> cred = sc.credentials.create( ... 'Example AD User', 'windows', 'ntlm', ... username='scanneruser', ... password='sekretpassword', ... domain='Company.com')
Creating a root user SSH credential:
>>> cred = sc.credentials.create( ... 'Example SSH Cred', 'ssh', 'password', ... username='root', ... password='sekretpassword')
Creating a root user SSH cred with a private key:
>>> with open('privatekeyfile', 'rb') as keyfile: ... cred = sc.credentials.create( ... 'Example SSH Keys', 'ssh', 'publickey', ... username='root', ... private_key=keyfile)
Creating a normal user SSH cred with sudo for privilege escalation:
>>> cred = sc.credentials.create( ... 'Example SSH Sudo', 'ssh', 'password', ... username='user', ... password='sekretpassword', ... privilege_escalation='sudo', ... escalation_password='sekretpassword')
Creating a SQL Server cred set:
>>> cred = sc.credentials.create( ... 'Example SQL Server', 'database', 'SQL Server', ... username='sa', ... password='sekretpassword', ... sql_server_auth_type='SQL', ... sid='database_name')
- delete(id)[source]¶
Removes a credential.
- Parameters:
id (int) – The numeric identifier for the credential to remove.
- Returns:
An empty response.
- Return type:
Examples
>>> sc.credentials.delete(1)
- details(id, fields=None)[source]¶
Returns the details for a specific credential.
- Parameters:
- Returns:
The credential resource record.
- Return type:
Examples
>>> cred = sc.credentials.details(1) >>> pprint(cred)
- edit(id, **kw)[source]¶
Edits a credential.
- Parameters:
auth_type (str, optional) – The type of authentication for the credential. Valid types are
beyondtrust
,certificate
, cyberark``,kerberos
,lieberman
,lm
,ntlm
,password
,publickey
,thycotic
.beyondtrust_api_key (str, optional) – The API key to use for authenticating to Beyondtrust.
beyondtrust_duration (int, optional) – The length of time to cache the checked-out credentials from Beyondtrust. This value should be less than the password change interval within Beyondtrust.
beyondtrust_host (str, optional) – The host address for the Beyondtrust application.
beyondtrust_port (int, optional) – The port number associated with the Beyondtrust application.
beyondtrust_use_escalation (bool, optional) – If enabled, informs the scanners to use Beyondtrust for privilege escalation.
beyondtrust_use_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.
beyondtrust_use_ssl (bool, optional) – Should the scanners communicate to Beyondtrust over SSL for credential retrieval? If left unspecified, the default is set to
True
.beyondtrust_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Beyondtrust? If left unspecified, the default is
False
.community_string (str, optional) – The SNMP community string to use for authentication.
db_type (str, optional) – The type of database connection that will be performed. Valid types are
DB2
,Informix/DRDA
,MySQL
,Oracle
,PostgreSQL
,SQL Server
.description (str, optional) – A description to associate to the credential.
domain (str, optional) – The Active Directory domain to use if the user is a member of a domain.
escalation_path (str, optional) – The path in which to run the escalation commands.
escalation_password (str, optional) – The password to use for the escalation.
escalation_su_use (str, optional) – If performing an SU escalation, this is the user to escalate to.
escalation_username (str, optional) – The username to escalate to.
kdc_ip (str, optional) – The kerberos host supplying the session tickets.
kdc_port (int, optional) – The port to use for kerberos connections. If left unspecified the default is
88
.kdc_protocol (str, optional) – The protocol to use for kerberos connections. Valid options are
tcp
andudp
. If left unspecified then the default istcp
.kdc_realm (str, optional) – The Kerberos realm to use for authentication.
lieberman_host (str, optional) – The address for the Lieberman vault.
lieberman_port (int, optional) – The port number where the Lieberman service is listening.
lieberman_pam_password (str, optional) – The password to authenticate to the Lieberman RED API.
lieberman_pam_user (str, optional) – The username to authenticate to the Lieberman RED API.
lieberman_system_name (str, optional) – The name for the credentials in Lieberman.
lieberman_use_ssl (bool, optional) – Should the scanners communicate to Lieberman over SSL for credential retrieval? If left unspecified, the default is set to
True
.lieberman_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Lieberman? If left unspecified, the default is
False
.name (str, optional) – The name for the credential.
password (str, optional) – The password for the credential.
port (int, optional) – A valid port number for a database credential.
private_key (file, optional) – The fileobject containing the SSH private key.
privilege_escalation (str, optional) – The type of privilege escalation to perform once authenticated. Valid values are
.k5login
,Cisco 'enable'
,dzdo
,none
,pbrun
,su
,su+sudo
,sudo
. If left unspecified, the default isnone
.public_key (file, optional) – The fileobject containing the SSH public key or certificate.
oracle_auth_type (str, optional) – The type of authentication to use when communicating to an Oracle database server. Supported values are
sysdba
,sysoper
, andnormal
. If left unspecified, the default option isnormal
.oracle_service_type (str, optional) – The type of service identifier specified in the
sid
parameter. Valid values are eithersid
orservice_name
. If left unspecified, the default issid
.sid (str, optional) – The service identifier or name for a database credential.
sql_server_auth_type (str, optional) – The type of authentication to perform to the SQL Server instance. Valid values are
SQL
andWindows
. The default value if left unspecified isSQL
.tags (str, optional) – A tag to associate to the credential.
type (str. optional) – The type of credential to store. Valid types are
database
,snmp
,ssh
, andwindows
.username (str, optional) – The username for the OS credential.
thycotic_domain (str, optional) – The domain, if set, within Thycotic.
thycotic_organization (str, optional) – The organization to use if using a cloud instance of Thycotic.
thycotic_password (str, optional) – The password to use when authenticating to Thycotic.
thycotic_private_key (bool, optional) – If enabled, informs the scanners to use key-based auth for SSH connections instead of password auth.
thycotic_secret_name (str, optional) – The secret name value on the Tycotic server.
thycotic_url (str, optional) – The absolute URL path pointing to the Thycotic secret server.
thycotic_username (str, optional) – The username to use to authenticate to Thycotic.
thycotic_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to Thycotic? If left unspecified, the default is
False
.vault_account_name (str, optional) – The unique name of the credential to retrieve from CyberArk. Generally referred to as the name parameter within CyberArk.
vault_address (str, optional) – The domain for the CyberArk account. SSL must be configured through IIS on the CCP before using.
vault_app_id (str, optional) – The AppID to use with CyberArk.
vault_cyberark_client_cert (file, optional) – The fileobject containing the CyberArk client certificate.
vault_cyberark_url (str, optional) – The URL for the CyberArk AIM web service. If left unspecified, the default URL path of
/AIMWebservice/v1.1/AIM.asmx
will be used..vault_cyberark_private_key (file, optional) – The fileobject containing the CyberArk client private key.
vault_cyberark_private_key_passphrase (str, optional) – The passhrase for the private key.
vault_folder (str, optional) – The folder to use within CyberArk for credential retrieval.
vault_host (str, optional) – The CyberArk Vault host.
vault_password (str, optional) – The password to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.
vault_policy_id (int, optional) – The CyberArk PolicyID assigned to the credentials to retrieve.
vault_port (int, optional) – The port in which the CyberArk Vault resides.
vault_safe (str, optional) – The CyberArk safe that contains the credentials to retrieve.
vault_use_ssl (bool, optional) – Should the scanners communicate to CyberArk over SSL for credential retrieval? If left unspecified, the default is set to
True
.vault_username (str, optional) – The username to use for authentication to the vault if the CyberArk Central Credential Provider is configured for basic auth.
vault_verify_ssl (bool, optional) – Should the SSL certificate be validated when communicating to the vault? If left unspecified, the default is
False
.
- Returns:
The newly updated credential.
- Return type:
Examples
>>> cred = sc.credentials.edit()
- list(fields=None)[source]¶
Retrieves the list of credential definitions.
- Parameters:
fields (list, optional) – A list of attributes to return for each credential.
- Returns:
A list of credential resources.
- Return type:
Examples
>>> for cred in sc.credentials.list(): ... pprint(cred)
- share(id, *groups)[source]¶
Shares the specified credential to another user group.
- Parameters:
- Returns:
The updated credential resource.
- Return type:
Examples
>>> sc.credentials.share(1, group_1, group_2)