SSH authorized keys modified
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect modifications to authorized SSH keys.
Strategy
SSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker’s may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.
Triage and response
- Check what changes were made to authorized_keys, and under which user.
- Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.
- If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.
Requires Agent version 7.27 or greater