[sec_scan][22] add authorized keys reporter

This PR introduces a SSH authorized keys reporter that monitors `/etc/passwd` file and all users' authorized_keys files and reports the findings back to teleport. Part of gravitational/access-graph#637 Signed-off-by: Tiago Silva <[email protected]>
gravitational · Jul 23, 2024 · c1f306c · c1f306c
1 parent ecfa26a
commit c1f306c
Show file tree

Hide file tree

Showing 6 changed files with 886 additions and 2 deletions.
diff --git a/api/types/accessgraph/authorized_key.go b/api/types/accessgraph/authorized_key.go
@@ -28,7 +28,8 @@ import (
 )
 
 const (
-	authorizedKeyDefaultKeyTTL = 8 * time.Hour
+	// AuthorizedKeyDefaultKeyTTL is the default TTL for an authorized key.
+	AuthorizedKeyDefaultKeyTTL = 8 * time.Hour
 )
 
 // NewAuthorizedKey creates a new SSH authorized key resource.
@@ -40,7 +41,7 @@ func NewAuthorizedKey(spec *accessgraphv1pb.AuthorizedKeySpec) (*accessgraphv1pb
 		Metadata: &headerv1.Metadata{
 			Name: name,
 			Expires: timestamppb.New(
-				time.Now().Add(authorizedKeyDefaultKeyTTL),
+				time.Now().Add(AuthorizedKeyDefaultKeyTTL),
 			),
 		},
 		Spec: spec,