SSH Risk Assessor

SSH Risk Assessor (SRA) from SSH Communications Security is a lightweight scanning and reporting tool that enables security auditors to obtain actionable information as to the state of compliance and risk with respect to SSH identity and access management.

SRA is designed for use by security personnel and external auditors responsible for helping large enterprises identify and address IT security risk and compliance issues. SRA is curently available for free to any qualified user upon qualification by an SSH solutions consultant.

What SRA can do for you:

Risk Reporting:

• Generate a report to identify: 
  • Total amounts of keys and related users
  • Host OS platforms and SSH versions
  • Known and unknown trust-relationships
  • Amount of root authorizations
  • User keys without command restrictions 
  • User keys without source address or host
• Scan environment for SSH user and host keys:
  • Duplicate/shared private keys
  • Private keys without passphrase protection
  • Key age, algorithms and lengths
  • User keys in non-root owned directories and writable by non-root users.
• Reachability analysis to determine potential damage due to a compromised private key 

Compare findings with:

• Current IAM tracking to identify  undocumented and/or unauthorized keys
• SSH version and access policies 
• Key cryptography policies 
• Key rotation practices

Compliance Reporting:

• SOX DS 5.8 Cryptographic key management  for secure key storage and revocation 
• HIPAA Information Access requirements for key protection, strength, age, access and audit
• NIST/FISMA section C.2.2 requirements for structured and documented process for key allocation, distribution and tracking. Key algorithm enforcement and tracking
• NERC CIP-007-4 R5 Account Management requirements
• PCI section 8.5.x access controls (SSH under consideration for PCI V3)