Credential Management
Secure credential management is critical for successful infrastructure discovery. NopeSight provides enterprise-grade credential vaulting with encryption, access control, and audit capabilities to ensure your discovery credentials remain secure while enabling comprehensive infrastructure scanning.
Credential Vault Architecture
Security Model
Encryption Standards
Encryption at Rest:
Algorithm: AES-256-GCM
Key Management:
- AWS KMS integration
- Azure Key Vault support
- HashiCorp Vault compatible
- Local HSM option
Key Rotation: Automatic, 90-day default
Encryption in Transit:
Protocol: TLS 1.3
Certificate: 4096-bit RSA or P-384 ECDSA
Perfect Forward Secrecy: Enabled
Cipher Suites:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
Credential Types
Windows Credentials
Domain Credentials
Type: Active Directory
Fields:
- Domain: CORP\discovery_user
- Password: ********
- Use Kerberos: true
- Alternative UPN: discovery@corp.local
Permissions Required:
- Domain Users membership
- Read access to AD objects
- Remote WMI access
- Performance Monitor Users
- Event Log Readers
Best Practices:
- Use dedicated service account
- Enable "Password never expires"
- Regular audit of permissions
- Monitor account usage
Local Administrator
Type: Local Windows Account
Fields:
- Username: .\admin_discovery
- Password: ********
- Use NTLM: true
Usage Scenarios:
- Workgroup computers
- Non-domain systems
- Isolated networks
- DMZ servers
Linux/Unix Credentials
SSH Key Authentication
Type: SSH Private Key
Fields:
- Username: discovery
- Private Key: -----BEGIN RSA PRIVATE KEY-----
- Passphrase: ******** (optional)
- Key Type: RSA-4096 / ED25519
Configuration:
# Generate discovery key
ssh-keygen -t ed25519 -f discovery_key -C "nopesight-discovery"
# Deploy to target systems
ssh-copy-id -i discovery_key.pub discovery@target-host
# Configure sudo access
echo "discovery ALL=(ALL) NOPASSWD: /usr/bin/dmidecode, /bin/netstat" >> /etc/sudoers.d/discovery
Password Authentication
Type: SSH Password
Fields:
- Username: discovery
- Password: ********
- Sudo Password: ******** (if different)
- Enable Sudo: true
Security Note:
- Less secure than key-based
- Use only when keys not possible
- Implement fail2ban protection
- Monitor authentication logs
Network Device Credentials
SNMPv3 Credentials
Type: SNMP v3
Fields:
- Username: nopesight_ro
- Authentication:
Protocol: SHA-256
Password: ********
- Privacy:
Protocol: AES-256
Password: ********
- Context: (optional)
Security Levels:
- noAuthNoPriv: Not recommended
- authNoPriv: Authentication only
- authPriv: Full security (recommended)
Network Device SSH/Telnet
Type: Network CLI
Fields:
- Protocol: SSH (preferred) / Telnet
- Username: admin
- Password: ********
- Enable Password: ******** (Cisco)
- Port: 22 / 23
Supported Vendors:
- Cisco IOS/NX-OS
- Juniper Junos
- Arista EOS
- HP/Aruba
Cloud Credentials
AWS Credentials
Type: AWS IAM
Fields:
- Access Key ID: AKIA...
- Secret Access Key: ********
- Session Token: (for temporary credentials)
- Region: us-east-1
- Assume Role ARN: (optional)
Required Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"rds:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}
]
}
Azure Credentials
Type: Azure Service Principal
Fields:
- Tenant ID: xxxxxxxx-xxxx-xxxx-xxxx
- Client ID: xxxxxxxx-xxxx-xxxx-xxxx
- Client Secret: ********
- Subscription ID: (optional, for specific subscriptions)
Required Role:
- Reader on subscriptions/resource groups
- Monitoring Reader for metrics
- Log Analytics Reader for logs
Credential Management Interface
Web UI Management
Credential Creation Workflow:
1. Navigate to Settings > Credentials
2. Click "Add Credential"
3. Select credential type
4. Fill required fields
5. Set scope and tags
6. Test connectivity
7. Save and encrypt
Features:
- Syntax validation
- Connection testing
- Duplicate detection
- Bulk import/export
- Template library
API Management
# Create credential via API
import requests
import json
credential = {
"name": "Production Linux Servers",
"type": "ssh_key",
"description": "SSH key for production Linux discovery",
"fields": {
"username": "discovery",
"private_key": "-----BEGIN OPENSSH PRIVATE KEY-----\n...",
"passphrase": "secure_passphrase"
},
"scope": {
"ip_ranges": ["10.1.0.0/16", "10.2.0.0/16"],
"tags": ["production", "linux"],
"exclude": ["10.1.1.50", "10.1.1.51"]
},
"settings": {
"timeout": 30,
"retry_count": 3,
"rate_limit": 10
}
}
response = requests.post(
"https://nopesight.company.com/api/credentials",
json=credential,
headers={
"Authorization": f"Bearer {api_token}",
"Content-Type": "application/json"
}
)
credential_id = response.json()["id"]
CLI Management
# NopeSight CLI credential management
# List credentials
nopesight credential list --type ssh_key
# Create credential
nopesight credential create \
--name "DMZ Servers" \
--type ssh_password \
--username dmz_discovery \
--scope "192.168.100.0/24"
# Test credential
nopesight credential test <credential_id> --target 192.168.100.10
# Update credential
nopesight credential update <credential_id> \
--rotate-password \
--notification-email ops@company.com
# Delete credential
nopesight credential delete <credential_id> --confirm
Credential Scoping
IP Range Scoping
Scope Definition:
Include:
- 10.0.0.0/8 # All internal
- 172.16.0.0/12 # Private ranges
- 192.168.0.0/16 # Local networks
Exclude:
- 10.1.1.0/24 # Management network
- 172.16.5.0/24 # Secure segment
Priority Rules:
1. Most specific match wins
2. Exclude overrides include
3. Tag-based scope addition
Tag-Based Scoping
Tag Rules:
Production Windows:
- os_type: windows
- environment: production
- credential: prod_windows_cred
Development Linux:
- os_type: linux
- environment: development
- credential: dev_linux_cred
Network Devices:
- device_type: network
- vendor: cisco
- credential: cisco_snmp_cred
Dynamic Scoping
// Dynamic credential selection
{
"rules": [
{
"name": "AWS EC2 Instances",
"condition": {
"and": [
{ "field": "platform", "operator": "equals", "value": "aws" },
{ "field": "service", "operator": "equals", "value": "ec2" }
]
},
"credential": "aws_discovery_role"
},
{
"name": "Domain Controllers",
"condition": {
"and": [
{ "field": "os", "operator": "contains", "value": "Windows Server" },
{ "field": "services", "operator": "contains", "value": "Active Directory" }
]
},
"credential": "domain_admin_readonly"
}
]
}
Security Features
Access Control
Role-Based Access:
Credential Administrator:
- Create/modify/delete all credentials
- View audit logs
- Manage access policies
- Export credentials
Discovery Operator:
- Use assigned credentials
- Test connectivity
- View credential metadata
- Request access
Auditor:
- View credential usage logs
- Generate compliance reports
- Access audit trails
- No credential access
Approval Workflow:
- Multi-person approval for sensitive credentials
- Time-based access windows
- Automatic revocation
- Emergency access procedures
Audit Logging
{
"event": "credential_access",
"timestamp": "2024-01-15T10:30:45Z",
"user": "john.doe@company.com",
"action": "retrieve",
"credential_id": "cred_123456",
"credential_name": "Production Database",
"source_ip": "10.1.1.100",
"discovery_target": "10.2.3.50",
"success": true,
"session_id": "disc_789012"
}
Credential Rotation
Automatic Rotation:
Enabled Types:
- Password credentials
- API keys
- Cloud access keys
Rotation Policy:
Default: 90 days
High Security: 30 days
Service Accounts: 180 days
Process:
1. Generate new credential
2. Test new credential
3. Update discovery engine
4. Verify functionality
5. Revoke old credential
6. Notify administrators
Integration
External Vaults
HashiCorp Vault
Integration:
- Real-time credential retrieval
- Dynamic secret generation
- Lease management
- Automatic renewal
Configuration:
vault:
url: https://vault.company.com:8200
auth_method: approle
role_id: ${VAULT_ROLE_ID}
secret_id: ${VAULT_SECRET_ID}
mount_path: /nopesight
namespace: admin/discovery
CyberArk Integration
Features:
- Privileged account checkout
- Automatic check-in
- Session recording
- Dual control
API Configuration:
cyberark:
url: https://cyberark.company.com
app_id: NopeSight_Discovery
safe: IT_Discovery_Credentials
folder: Root
retrieve_timeout: 30
Password Managers
Supported Integrations:
- 1Password Business
- LastPass Enterprise
- Bitwarden Business
- Keeper Security
Sync Configuration:
sync:
enabled: true
interval: 3600 # seconds
direction: one-way # import only
conflict_resolution: skip
categories:
- Discovery Credentials
- Service Accounts
Best Practices
1. Credential Hygiene
- ✅ Use dedicated discovery accounts
- ✅ Implement least privilege
- ✅ Regular permission audits
- ✅ Automatic rotation enabled
2. Security Hardening
- ✅ Enable MFA for credential access
- ✅ IP whitelisting for management
- ✅ Time-based access windows
- ✅ Break-glass procedures
3. Operational Excellence
- ✅ Test credentials regularly
- ✅ Monitor usage patterns
- ✅ Document all credentials
- ✅ Maintain access matrix
4. Compliance
- ✅ Quarterly access reviews
- ✅ Annual credential audit
- ✅ Compliance reporting
- ✅ Evidence collection
Troubleshooting
Common Issues
Authentication Failures
Symptoms:
- Discovery fails with auth error
- Connection timeout
- Access denied messages
Diagnosis:
1. Test credential manually
2. Check account status
3. Verify permissions
4. Review security logs
5. Check network path
Solutions:
- Reset account password
- Unlock account if locked
- Update expired credentials
- Fix permission issues
- Whitelist discovery source
Performance Issues
Symptoms:
- Slow credential retrieval
- Timeout errors
- Queue backlog
Solutions:
- Implement credential caching
- Optimize vault queries
- Increase connection pool
- Regional vault deployment
- Review access patterns
Credential Testing
# Test Windows credential
nopesight test credential \
--type windows \
--target 10.1.1.50 \
--credential-id cred_123 \
--verbose
# Test SSH connectivity
ssh -i /path/to/key \
-o ConnectTimeout=10 \
-o PasswordAuthentication=no \
discovery@target-host \
"echo 'Connection successful'"
# Test SNMP access
snmpwalk -v3 -l authPriv \
-u discovery_user \
-a SHA -A "auth_password" \
-x AES -X "priv_password" \
target-device system
Disaster Recovery
Backup Procedures
Backup Strategy:
Frequency: Daily
Retention: 30 days
Encryption: AES-256
Included Data:
- Encrypted credentials
- Access policies
- Audit logs
- Configuration
Excluded:
- Temporary tokens
- Session data
- Cache entries
Recovery Process
# Restore from backup
nopesight-admin restore credentials \
--backup-file credentials-20240115.enc \
--key-file recovery.key \
--verify-integrity
# Validate restoration
nopesight-admin validate credentials \
--test-connectivity \
--report validation-report.txt
# Re-encrypt with new keys
nopesight-admin reencrypt credentials \
--old-key old-master.key \
--new-key new-master.key \
--algorithm AES-256-GCM
Next Steps
- 📖 Discovery Patterns - Custom discovery rules
- 📖 Scheduling - Discovery scheduling strategies
- 📖 Troubleshooting - Common issues and solutions