I was approached by one of my IT security guys today and he asked this question...
Is there an easy way to monitor changes to "~/.ssh/authorized_keys” with the help of JAMF then send an alert the appropriate personnel?
Does JAMF have any build in alerting functionality or should we use sendmail or something?
We want to do it based on pen test results.
After giving this a brief amount of thought, here is the first thing that came to mind...
We could easily run something like an md5 checksum against the keys during regular JAMF check-ins.
If MD5=true, nothing to do
If MD5=false, do some alert thing
Then I gave a bit more thought and this...
We might be able to use a JAMF web hook for real time detection and alerting...
So the question is...
Has anyone else done something like this?
Did you use JAMF?
If so, how so?
If not, what did you use?
Does anyone even care about such things?
A reboot a day keeps the admin away!
Old thread - but same question here.
I was considering a script to check logs for keywords/strings, then modify a setting on the Mac (maybe the unused 'asset tag') based on the script output. Then have a smart group in JAMF looking for that asset tag change and using the feature to notify an admin upon group membership change.
100% Theoretical at this point though.