Creating groups and work for Adaptable SSH Key Discovery

To set up Adaptable SSH Key Discovery you need to do both of the following steps, in any order:

Set up a folder/policy and create a device in the folder. (See Configuring policies and devices for use in Adaptable SSH Key Discovery for the steps.)
Set up discovery work and create a group for the work.

This topic covers second of these steps.

To set up SSH discovery work (Adaptable setup)

NOTE For agentless setup see Assigning work for agentless discovery and remediation. For agent setup see Setting up SSH discovery work for Server Agents.

From the SSH Protect menu, click Clients > Work Settings
If you are adding new SSH discovery work, click Add Work. Give the new work a Name, select SSH Discovery from the Type drop-down list, and then click Create.

If you are modifying existing work, click the work name.
In the SSH Discovery Enabled section, click Yes to enable SSH discovery work.

NOTE If you want to configure the work but not enable it, leave the No checkbox checked.
In the Schedule section, do the following:
1. In the Scan Interval list, select the frequency with which the discovery work should be performed. If you select Days of Week or Days of Month, a field appears that allows you to specify the days.
  
  The On Receipt option allows you to execute the discovery when the Venafi service is started. When this option is selected, the Scan Time and the Randomize Scan Time By options are no longer available.
  
  NOTE The default setting is once daily at 2 a.m., based on the local time where the agent is installed. However, the SSH module is set to use the Trust Protection Platform server's time-zone. Keep in mind that this could cause a delay (of up to a day) if you set a start time for a device's time zone that is already later than the Venafi server's time zone.
2. From the Scan Time list, select the hour of the day when you want the scan to run.
  
  NOTE When you select Hourly as the Scan Interval, the Scan Time field is hidden.
3. In the Randomize Scan Time By field, specify (in minutes) the window of time to be used by all agents for checking in with Trust Protection Platform.
  
  Without this option, all agents would likely check in at the same time, beginning at the hour you selected from the Scan Time list. Randomizing check-ins reduces the load on both your network and the Trust Protection Platform server.
In the One Time Full Scan section, click Schedule Full Scan if you want to re-run a complete scan. (After the full scan is complete, subsequent scans will only send changed data.)

DID YOU KNOW? After an initial scan, subsequent scans only send changes to the Trust Protection Platform server. This reduces the load on the Trust Protection Platform server. Using the One Time Full Scan option allows you to re-run a complete scan. This setting, for example, might be used to relay authorized_key comment data to SSH Protect for keys that were discovered before the comments feature had been added to SSH Protect.
Under Scan Paths, specify where SSH Protect can find SSH keys on the client computer by doing one or more of the following:
- If you want SSH Protectnot to scan default paths for discovering keys, uncheck Scan Default Paths.
  
  To see a list of default paths, move your cursor over the icon.
  
  NOTE If there are paths specified in the device's sshd_config file, these directories will always be scanned, in addition to whatever settings you specify for this work. For more information on the sshd_config file, see Discovering authorized SSH keys using sshd_config. If you don't want to scan those paths, you need add /etc/ssh/sshd_config to the Exclude these paths list.
- (Optional) The In the files and directories box allows you to specify specific directories and file names to scan. Add a file or directory, and then click the Add icon.
  
  NOTE The /dev and /proc directories on Unix and Linux platforms cannot be scanned. They are intentionally excluded because they are not common (nor recommended) locations for storing keys and certificates.
  
  TIP Accurate information equates to quicker search results and fewer constraints on the server's system resources.
- (Optional) To further refine search results, specify files, directories and sub-directories that the agent should ignore using the Exclude these paths list.
- (Optional) If you have NFS mount points and you want to scan the remote mount points, select the Scan Remote Mount Points checkbox.
NOTE Be aware that files and folders with symbolic links (hard and soft symlinks) are also scanned up to a depth of ten levels. However, file operations (e.g. provisioning, deletion, etc.) to symbolically linked files or folders is prohibited. If you attempt to perform a file action on a symbolic link, you will see the error: "Symbolic link operation blocked."
(Optional) If you want to minimize the impact on the Trust Protection Platform server during SSH discovery, then under Resource Use, configure one or more of the following settings:
- If you want to use fewer resources during SSH discovery, then set Minimize resource use? to Yes.
  
  When enabled, Adaptable Discovery lets other processes run more often. Adaptable Discovery continues to run; however, this slight adjustment lets other processes receive higher priority than Adaptable Discovery.
- If you want to improve the speed of your scans, then in the Ignore Files Larger Than list, select a file size threshold after which the agent should ignore files.
  
  EXAMPLE Suppose you have a keystore database file larger than 1GB that you want to ignore. By setting this limit to 100K, all keystore files larger than 100k are ignored—the purpose of this setting is not to ignore keys, but to protect against DoS attacks on Trust Protection Platform.
- If you want to keep your log file smaller and minimize impact on disk writing, then from the Logging Threshold list, select the level of detail you want to appear.
  
  By default, logging is set to Info (the most verbose setting). Each information level includes greater and greater detail. Adaptable Discovery events are written to syslog or the Windows event log. By selecting a lower level, you can reduce the amount of detail that is logged. For more information about logging thresholds, see Logging thresholds.
When you are finished, click Save.

Now that work is configured, you need to be assure to assign that work to a group. For Adaptable SSH Key Discovery, you need to use a special group type just for Adaptable SSH Key Discovery.

Configure Adaptable SSH Key Discovery groups

From the SSH Protect menu, click Clients > Client Group Settings.
Click Add a Group.
Give the group a name, then click Agentless SSH Key Discovery using Venafi Adaptable Framework, then click Add a Group.
Click Membership Criteria.
- If you want to include all Adaptable SSH Key Discovery work in this group, skip to the next step.
  
  This group type can only include Adaptable SSH Key Discovery devices.
- If you want to further refine the membership criteria for this group use click Add and configure your filter criteria.
Click Assigned Work, then click the Assign Work button.
In the Work drop down, browse to the work you created above.

What's Next?

Have you already created a policy and an Adaptable SSH Key Discovery device? If not, do that now. See Configuring policies and devices for use in Adaptable SSH Key Discovery for the steps.

If you have already created a policy and a device, then you're ready to Run and monitor SSH discovery progress.

If you want to learn more about the PowerShell script that powers Adaptable SSH Key Discovery, see PowerShell script reference for Adaptable SSH Key Discovery.