Remote changes to SSH keys

In a fully-managed and ideal environment, when changes are made to SSH keys, these changes would be made directly in Trust Protection Platform, and those changes would be pushed out to the devices where the keys are stored. However, if a change is detected in a key that is being tracked by Trust Protection Platform, the way the system will respond depends on the security level for the device.

IMPORTANT  The security level has a direct impact on licensing for Trust Protection Platform. License counts for SSH are determined by the security level set for monitored devices.

There are two security level options for SSH keys in Trust Protection Platform. They are:

  • Detect. At this security level, Trust Protection Platform scans the devices and keeps track of the SSH keys detected on the device. With this security level, the devices are considered the authoritative source, so changes must be made to the device.
  • Remediate. At this security level, Trust Protection Platform not only scans the devices for keys, but also manages the keys, allowing you to edit, rotate, and replace keys directly in Trust Protection Platform. With this security level, Trust Protection Platform is considered the authoritative source, so changes must be made in Trust Protection Platform.

Knowing the authoritative source is important because it affects what happens when a remote change is detected. A remote change is a change in a key that was not initiated through Trust Protection Platform.

For devices with the security level of detect, when a remote change is identified, the Trust Protection Platform database is updated with the change, since the device is considered the authoritative source.

For devices with the security level of remediate, when a remote change is identified, Trust Protection Platform proactively replaces the data on the device with the data from the Trust Protection Platform database, overwriting whatever remote change was made.

The following table provides specific information on how remote change types are processed for each security level.

Security Level

Remote Change Type

Result

Detect

Add

The new key is added to the Trust Protection Platform database.

Detect

Remove

The missing key is removed from the Trust Protection Platform database.

Detect

Edit

The updated key information replaces the information in the Trust Protection Platform database.

Remediate

Add

The new key is added to the Trust Protection Platform database.

Remediate

Remove

The missing key is copied back to the device from the Trust Protection Platform database.

Remediate

Edit

The remote change on the device is overwritten by the data stored in the Trust Protection Platform database.

Related Topics Link IconRelated Topics