Assigning work for agentless discovery and remediation
To set up Agentless SSH discovery work, you have to configure SSH work in the SSH Protect on the Client Group Settings.
Setting up work for Agentless discovery is similar to SSH discovery for Agents work set up. (For reference, see Setting up SSH discovery work for Server Agents .)
However, there are some differences in the options that are not applicable for Agentless discovery work options—so be sure to use these steps to configure agentless discovery.
To set up SSH discovery work (
NOTE
- From the SSH Protect menu, click Clients > Work Settings
-
If you are adding new SSH discovery work, click Add Work. Give the new work a Name, select SSH Discovery from the Type drop-down list, and then click Create.
If you are modifying existing work, click the work name.
-
In the SSH Discovery Enabled section, click Yes to enable SSH discovery work.
NOTE If you want to configure the work but not enable it, leave the No checkbox checked.
-
In the Schedule section, do the following:
-
In the Scan Interval list, select the frequency with which the discovery work should be performed. If you select Days of Week or Days of Month, a field appears that allows you to specify the days.
The On Receipt option allows you to execute the discovery when the Venafi service is started. When this option is selected, the Scan Time and the Randomize Scan Time By options are no longer available.
NOTE The default setting is once daily at 2 a.m., based on the local time where the agent is installed. However, the SSH module is set to use the Trust Protection Platform server's time-zone. Keep in mind that this could cause a delay (of up to a day) if you set a start time for
-
From the Scan Time list, select the hour of the day when you want the scan to run.
NOTE When you select Hourly as the Scan Interval, the Scan Time field is hidden.
-
In the Randomize Scan Time By field, specify (in minutes) the window of time to be used by all agents for checking in with Trust Protection Platform.
Without this option, all agents would likely check in at the same time, beginning at the hour you selected from the Scan Time list. Randomizing check-ins reduces the load on both your network and the Trust Protection Platform server.
-
-
In the One Time Full Scan section, click Schedule Full Scan if you want to re-run a complete scan. (After the full scan is complete, subsequent scans will only send changed data.)
DID YOU KNOW? After an initial scan, subsequent scans only send changes to the Trust Protection Platform server. This reduces the load on the Trust Protection Platform server. Using the One Time Full Scan option allows you to re-run a complete scan.
-
Under Scan Paths, specify where SSH Protect can find SSH keys on the client computer by doing one or more of the following:
-
If you want SSH Protectnot to scan default paths for discovering keys, uncheck Scan Default Paths.
To see a list of default paths, move your cursor over the
icon.NOTE If there are paths specified in the device's sshd_config file, these directories will always be scanned, in addition to whatever settings you specify for this work. For more information on the sshd_config file, see Discovering authorized SSH keys using sshd_config. If you don't want to scan those paths, you need add
/etc/ssh/sshd_configto the Exclude these paths list. -
(Optional) The In the files and directories box allows you to specify specific directories and file names to scan. Add a file or directory, and then click the Add
icon.NOTE The /dev and /proc directories on Unix and Linux platforms cannot be scanned. They are intentionally excluded because they are not common (nor recommended) locations for storing keys and certificates.
TIP Accurate information equates to quicker search results and fewer constraints on the server's system resources.
-
(Optional) To further refine search results, specify files, directories and sub-directories that the agent should ignore using the Exclude these paths list.
-
(Optional) If you have NFS mount points and you want to scan the remote mount points, select the Scan Remote Mount Points checkbox.
NOTE Be aware that files and folders with symbolic links (hard and soft symlinks) are also scanned up to a depth of ten levels. However, file operations (e.g. provisioning, deletion, etc.) to symbolically linked files or folders is prohibited. If you attempt to perform a file action on a symbolic link, you will see the error: "Symbolic link operation blocked."
-
-
(Optional) If you want to minimize the impact on the Trust Protection Platform server during SSH discovery, then under Resource Use, configure one or more of the following settings:
-
If you want to use fewer resources during SSH discovery, then set Minimize resource use? to Yes.
When enabled,
-
If you want to improve the speed of your scans, then in the Ignore Files Larger Than list, select a file size threshold after which the agent should ignore files.
EXAMPLE Suppose you have a keystore database file larger than 1GB that you want to ignore. By setting this limit to 100K, all keystore files larger than 100k are ignored—the purpose of this setting is not to ignore keys, but to protect against DoS attacks on Trust Protection Platform.
-
If you want to keep your log file smaller and minimize impact on disk writing, then from the Logging Threshold list, select the level of detail you want to appear.
By default, logging is set to Info (the most verbose setting). Each information level includes greater and greater detail.
-
- When you are finished, click Save.