0034-ssh-keys-authorized_keys Public Key Differences
Rule ID
Category
Level
Compatible Versions
Description
- Monitor changes in the authorized_keys public key on the host.
Scan Frequency
Theoretical Basis
- authorized_keys is a critical file for SSH passwordless login. If keys are maliciously added, it can lead to data breaches or hacker infiltration.
Risk Items
- Hacker Infiltration
- Data Breach
- Network Security
- Mining Risk
- Botnet Risk
Audit Method
- Verify if the authorized_keys on the host has been illegally modified. You can run the following command to check:
ls /root/.ssh/authorized_keys && ls /home/*/.ssh/authorized_keys
- If the authorized_keys on the host has been illegally modified, carefully inspect the host environment to determine if there has been an intrusion and change the host user passwords.
Impact
Default Value
References
CIS Control