Dynamic Password Update Flow for Privilege Escalation Accounts

this process describes how kron pam vault and tenable security center (tsc) maintain synchronization for privilege escalation accounts used during authenticated scans these accounts are employed by tenable to elevate privileges (e g , via su, sudo, or combined su + sudo methods) when performing deeper system level security checks password rotation and trigger activation (kron pam vault) escalation account rotation the kron pam vault periodically rotates the password of the designated escalation user account, ensuring that privileged credentials remain secure and compliant with password rotation policies escalation account rotation escalation trigger execution once the password rotation is successfully completed, the application trigger configured specifically for this escalation user account is automatically activated this trigger initiates the synchronization workflow to update all dependent credentials in tenable security center escalation account trigger tenable security center synchronization bulk credential identification the escalation trigger retrieves the newly rotated password from the kron pam vault and performs a lookup across all credential records in tenable security center it identifies every credential that references the affected account by matching the escalation username (escalation username) field with the vault account that was rotated escalation password update for all matched credential records, the trigger updates the escalation password (escalation password) field with the new password retrieved from the vault this ensures that each credential record used for privilege elevation is aligned with the latest credentials uninterrupted privilege escalation after the update, tenable immediately uses the new password during the privilege escalation phase of all subsequent scans this bulk synchronization process ensures that all scans continue without interruption, even when using different initial login accounts