Blog

Cool Halo Trick #11: Identify changes to SSH access key files

Problem: I need to be alerted if the file containing a user’s public SSH key is modified

Halo FIM can alert you if a change is made to a user’s SSH access key file. To do this, go to Policies > File Integrity Policies > Add New File Integrity Policy.

Give the policy a descriptive name and monitor the following files:

/root/.ssh/authorized_keys
/root/.ssh/authorized_keys2
/home/*/.ssh/authorized_keys
/home/*/.ssh/authorized_keys2

Save the policy and baseline against a gold master server image.

Here’s what the email alert will look like if a modification is made:

Related Posts