Use this vault type to retrieve authentication credentials from a Wallix AdminBastion (WAB) vault.
Wallix AdminBastion (WAB) Vault Credentials
Click here and we'll walk you thru the steps. Add IP addresses to scan, configure scanner appliances, configure vaults and authentication records, set up option profiles and start scanning!
A Manager user has permission to configure a WAB vault. A Unit Manager can be granted this permission.
Define these credentials in your vault.
URL - The HTTP or HTTPS URL to access the WAB web services API.
SSL Verify - This option is available when the URL uses HTTPS. Qualys scanners will verify the SSL certificate of the web server to make sure the certificate is valid and trusted, unless you clear (un-check) the SSL Verify option. You may want to clear this option to skip SSL verification if the certificate was not issued by a well-known certification authority (CA) or if the certificate is self-signed.
Username - The user account that can call the WAB web services API (see user account requirements below).
Password - The password for the user account. Note - you can either specify a password or the application key, but not both.
Application API Key - Paste in your WAB REST API key. You'll want to restrict the key to Qualys scanner IP addresses. Go to Help > About to see the Qualys scanners located at the SOC where your account is located. With this information the application key acts as an authenticator for connecting to the WAB web services API. Refer to the WAB REST API usage documentation to learn more about creating keys and restricting access.
The user account must have the profile "user" and must be a member of a resource group. For example, create a user called "qualys_wallix_user" and make this user part of the user group "qualys_wallix_group". Then add the user group to the resource group "qualys_scan_group". All the targets you want to scan must be part of the same resource group as the user.
The user account should have these settings:
Profile: user
Force password change: No
Account expiration date: not set
IP restrictions: IP/Subnet: not set (your scanner IP/subnet must NOT be present in this field)
Consider when you run scans and make sure the user group can access the vault during the time frame.
Edit each target account to make these settings:
Auto password change - OFF (not selected)
Checkout policy: default
Choose the Wallix AdminBastion (WAB) vault in your authentication record and provide the authorization name and target name.
Basically, you'll authorize the vault user to have access to the resource group in order to scan the targets in the group. Then you'll enter the authorization name in your record.
You'll want to make these settings in WAB:
Enable password checkout - ON (This means users in the group can query the password.)
Enable sessions - OFF (not selected)
Enable approval workflow - OFF (not selected)
You’ll enter the target name using one of these formats.
user@global_WABdomain
user@local_WABdomain@device
where user is the user with access to the target, global_WABdomain is a domain name in a domain controller, local_WABdomain is a local domain, device is the device you want to scan
You can use one or more variables when defining the target name in order to match several targets that use the same naming convention.
${ip} // The IP address of the target, i.e. 10.20.30.40.
${ip_dash} // The IP address of the target with dashes instead of dots, i.e. 10-20-30-40.
${dnshost} // The DNS host name of the target, i.e. host.domain.
${host} // The host name of the target, i.e. host before .domain.
${nbhost} // (Windows only) The NetBIOS host name of the target in upper-case, i.e. HOST_ABC.
Let’s say you have these 6 devices in WAB:
CentOS6
10.50.60.70
10.50.60.88
10.30.10.12
10-20-32-201
10-20-31-112_win81-x86.prod.qualys.com
You’ll need to create 4 records with the following target names where the user is "qualys_scan" and the local_WABdomain is "local":
Record 1: qualys_scan@local@CentOS6
Record 2: qualys_scan@local@${ip} (matches 10.50.60.70, 10.50.60.88 and 10.30.10.12)
Record 3: qualys_scan@local@10-20-32-201 -or- qualys_scan@local@${ip_dash}
Record 4: qualys_scan@local@10-20-31-112_win81-x86.prod.qualys.com -or- qualys_scan@local@${ip_dash}_${dnshost}