Follow

Restricting Account to Use with Agentless SSH

Applies to: 

Venafi Trust Protection Platform 16.3 and later. For earlier versions, check this article

Summary: 

Venafi Trust Protection Platform can discover and remediate SSH keys using agentless method. In that case, no Venafi software will be installed on SSH devices to scan. Instead, TPP will log in to the device using SSH and perform shell commands to find and manage keys. Account is required to be sudo-enabled or root. In case of former, it is advised to restrict account to only run certain commands to conform to security best practices and least privilege principle.

Details:

This article lists commands that standard agentless SSH drivers use with elevated privileges and samples on how to restrict them using standard UNIX sudo mechanism. 

The following commands will be invoked during discovery and remediation with elevated (sudo) privileges:

  • chmod
  • chown
  • cp
  • echo
  • grep
  • ls
  • mkdir
  • rm
  • sha256sum (Linux only)
  • stat (Linux only)
  • istat (AIX only)

To use resticted account for agentless, set up this account in corresponding UNIX system and add it to /etc/sudoers file with appropriate list of commands. The list of commands may vary on different operating systems (see above) and its configurations (such as paths to system binaries), the following is sample for Linux account called venafi_account:

venafi_account ALL=PASSWD: /bin/chmod,/bin/chown,/bin/cp,/bin/echo,/bin/grep,/bin/ls,/bin/mkdir,/bin/rm,/usr/bin/sha256sum,/usr/bin/stat

Note: actual paths to binaries may vary on different Linux/UNIX distributions.

Sample for AIX:

venafi_account ALL=PASSWD: /bin/chmod,/bin/chown,/bin/cp,/bin/echo,/bin/grep,/bin/ls,/bin/mkdir,/bin/rm,/usr/bin/istat

 Sample for Solaris, HP-UX and IBM z/OS:

venafi_account ALL=PASSWD: /bin/chmod,/bin/chown,/bin/cp,/bin/echo,/bin/grep,/bin/ls,/bin/mkdir,/bin/rm
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk