How to catch rogue SSH keys ....
Over the years, a lot of organizations I have spoken to are looking for ways to monitor the creation of rogue SSH Keys. Centrify Server Suite Enterprise Edition’ DirectAudit, https://www.centrify.com/products/server-suite/auditing-compliance/, allows for Privileged Session Management or recording of user sessions, AND now with release 2017, it also enables Advance Monitoring.
With Advanced Monitoring, we can watch for the creation of rogue SSH Keys and send an event to a SIEM tool where alerts can be issued per this recorded demo session https://www.youtube.com/watch?v=OBA7aqKQqyA&feature=youtu.be
- Centrify Server Suite Enterprise Edition Infrastructure configured and deployed, as well as the CSS Agent deployed to a Linux instance. The Linux instance should be joined to AD leveraging Centrify Server Suite Standard Edition.
- Audit and audit-libs version 2.4.5 installed on the Linux instance
- A SIEM tool configured to consume syslog from the Linux instance.
Here are the steps:
- Configuring centralized directory for the location of Authorized SSH Keys
- Configuring Centrify Server Suite Enterprise Edition (DirectAudit) for Advanced File Monitoring
- Verify in your SIEM tool and in DirectAudit the addition of new SSH Keys to the Authorized Keys location.
Step 1 – Configure /etc/sshd_config file so that SSH authorized keys are to be placed in a specific centralized directory as such:
This configuration requires that all Authorized SSH Keys be placed in /etc/ssh/%u/authorized_keys and thus enables you to monitor a centralized directory. Note that if you were to turn on file monitoring for all users homes directories or all directories on the OS, you may negatively impact performance, so better to monitor a few key directories, such as /etc/. By default, only the directory trees /etc, /var/centrifyda, /var/centrifydc are monitored.
Step 2 – Configure advanced monitoring in /etc/centrifyda/centrifyda.conf. Change the following parameters in the centrifyda.conf file:
- event.execution.monitor: true
- event.monitor.commands: here you may specify commands you want to monitor for, some examples: /usr/sbin/vim or /bin/vi or /usr/sbin/useradd, while not necessarily needed for catching the new SSH keys, it is useful for monitoring of other activities such as editing the sshd_config file.
- event.file.monitor: true
- cmd.audit.show.actual.user: true
Then you will want to enable advanced monitoring by executing "dacontrol –m", if you have already enabled advanced monitoring then you can just reload the DirectAudit configuration with the command "dareload –m".
Step 3 - Now to verify that it will catch the user who goes rogue:
A user checks out the root password for example. Then they ssh to a box and switch user to and create SSH keys utilizing ssh-keygen command.
“ssh-keygen” and then skip entering a passphrase and enter the file name “TestConfig”
After that, the user has to append the public key to that centralized authorized keys file. So based on my configuration
“cat TestConfig.pub >> /etc/ssh/root/authorized_keys”
The Centrify DirectAudit Advance File Monitoring will pick up this activity. There are three ways to see this activity:
- If you have a SIEM tool for consuming and analyzing syslog, you may search for Centrify Event ID “57300” indicating SSH key activity. Notes: Also in the Audittrail event in syslog. The Information will be shown as ‘file monitor report’. This is shown in the screen shot
- Also you may look at the DirectAudit console, and watch a replay of the session that led to the alert and/or also run the privileged Activity report, run a query for “ssh-keygen” command or a query on the centralized directory for authorized keys.
Again, you can watch the approximately 5 minute video demo https://www.youtube.com/watch?v=OBA7aqKQqyA&feature=youtu.be of this compelling use case for leveraging Centrify Technology to catch a user and rogue SSH Keys.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.