Setting up SSH discovery work for Server Agents

To set up SSH discovery work, you need to configure SSH work for the groups that contain the systems on which you want to perform discovery work.

When completed, the discovered data is returned to SSH Protect through the SSH Discovery Plug-in. The plug-in then creates a device object and its keys within the Trust Protection Platform policy that you have specified.

Be aware that files and folders with symbolic links (hard and soft symlinks) are also scanned up to a depth of ten levels. By default, file operations (e.g. provisioning, deletion, etc.) to symbolically linked files or folders is prohibited. If you attempt to perform a file action on a symbolic link, you will see the error: "Symbolic link operation blocked."

Although not recommended due to security risks, you can enable file operations on symbolic links. SeeSSH policy settings details.

IMPORTANT  If you are using Server Agents, you must configure device placement work, too. If you don't, then the agents cannot receive SSH, certificate discovery, or certificate installation work. This is because a device must be created in the designated folder before Trust Protection Platform can send work to Server Agents.

Also, even if you've already configured device placement work, it could take up to two check-ins with Trust Protection Platform before discovery work is received. This is because work that is sent to the agent occurs in random order.

For more information, see Configuring SSH and Certificate device placement work.

To set up SSH discovery work (Agent-based setup)

  1. From the SSH Protect menu, click ClientsWork Settings
  2. If you are adding new SSH discovery work, click Add Work. Give the new work a Name, select SSH Discovery from the Type drop-down list, and then click Create.

    If you are modifying existing work, click the work name.

  3. In the SSH Discovery Enabled section, click Yes to enable SSH discovery work.

    NOTE  If you want to configure the work but not enable it, leave the No checkbox checked.

  4. In the Schedule section, do the following:

    1. In the Scan Interval list, select the frequency with which the discovery work should be performed. If you select Days of Week or Days of Month, a field appears that allows you to specify the days.

      The On Receipt option allows you to execute the discovery when the Venafi service is started. When this option is selected, the Scan Time and the Randomize Scan Time By options are no longer available.

      NOTE  The default setting is once daily at 2 a.m., based on the local time where the agent is installed. However, the SSH module is set to use the Trust Protection Platform server's time-zone. Keep in mind that this could cause a delay (of up to a day) if you set a start time for an agent's time zone that is already later than the Venafi server's time zone.

    2. From the Scan Time list, select the hour of the day when you want the scan to run.

      NOTE  When you select Hourly as the Scan Interval, the Scan Time field is hidden.

    3. In the Randomize Scan Time By field, specify (in minutes) the window of time to be used by all agents for checking in with Trust Protection Platform.

      Without this option, all agents would likely check in at the same time, beginning at the hour you selected from the Scan Time list. Randomizing check-ins reduces the load on both your network and the Trust Protection Platform server.

  5. In the One Time Full Scan section, click Schedule Full Scan if you want to re-run a complete scan. (After the full scan is complete, subsequent scans will only send changed data.)

    DID YOU KNOW?  After an initial scan, subsequent scans only send changes to the Trust Protection Platform server. This reduces the load on the Trust Protection Platform server. Using the One Time Full Scan option allows you to re-run a complete scan. This setting, for example, might be used to relay authorized_key comment data to SSH Protect for keys that were discovered before the comments feature had been added to SSH Protect.

  6. Under Scan Paths, specify where SSH Protect can find SSH keys on the client computer by doing one or more of the following:

    • If you want SSH Protectnot to scan default paths for discovering keys, uncheck Scan Default Paths.

      To see a list of default paths, move your cursor over the icon.

      NOTE  If there are paths specified in the device's sshd_config file, these directories will always be scanned, in addition to whatever settings you specify for this work. For more information on the sshd_config file, see Discovering authorized SSH keys using sshd_config. If you don't want to scan those paths, you need add /etc/ssh/sshd_config to the Exclude these paths list.

    • (Optional) The In the files and directories box allows you to specify specific directories and file names to scan. Add a file or directory, and then click the Add icon.

      NOTE  The /dev and /proc directories on Unix and Linux platforms cannot be scanned. They are intentionally excluded because they are not common (nor recommended) locations for storing keys and certificates.

      TIP  Accurate information equates to quicker search results and fewer constraints on the server's system resources.

    • (Optional) To further refine search results, specify files, directories and sub-directories that the agent should ignore using the Exclude these paths list.

    • (Optional) If you have NFS mount points and you want to scan the remote mount points, select the Scan Remote Mount Points checkbox.

    NOTE  Be aware that files and folders with symbolic links (hard and soft symlinks) are also scanned up to a depth of ten levels. By default, file operations (e.g. provisioning, deletion, etc.) to symbolically linked files or folders is prohibited. If you attempt to perform a file action on a symbolic link, you will see the error: "Symbolic link operation blocked."

    Although not recommended due to security risks, you can enable file operations on symbolic links. SeeSSH policy settings details.

  7. (Optional) If you want to minimize the impact on the Trust Protection Platform server during SSH discovery, then under Resource Use, configure one or more of the following settings:

    • If you want to use fewer resources during SSH discovery, then set Minimize resource use? to Yes.

      When enabled, the Server Agent lets other processes run more often. The Server Agent continues to run; however, this slight adjustment lets other processes receive higher priority than the Server Agent.

    • If you want to improve the speed of your scans, then in the Ignore Files Larger Than list, select a file size threshold after which the agent should ignore files.

      EXAMPLE  Suppose you have a keystore database file larger than 1GB that you want to ignore. By setting this limit to 100K, all keystore files larger than 100k are ignored—the purpose of this setting is not to ignore keys, but to protect against DoS attacks on Trust Protection Platform.

    • If you want to keep your log file smaller and minimize impact on disk writing, then from the Logging Threshold list, select the level of detail you want to appear.

      By default, logging is set to Info (the most verbose setting). Each information level includes greater and greater detail. Server Agent events are written to syslog or the Windows event log. By selecting a lower level, you can reduce the amount of detail that is logged. For more information about logging thresholds, see Logging thresholds for Agent-related log items.

  8. When you are finished, click Save.

Related Topics Link IconRelated Topics