What is a one sentence summary of your feature request?
Control SSH activities through process
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
We always struggle on SSH monitoring and control. EPP’s lack of capabilities to detect SSH transfer destination raise the difficulty of security audit. While testing some other DLP product, we notice the other product control the SSH by process and successfully block the traffic to external network. While the internal network, that is on the allowlist, was not affect. This approach solve our issues regarding SCP and Git by SSH protocol. Please consider add this feature to your product.
How do you currently solve the challenges you have by not having this feature?
We don’t have any workaround, the SSH is one big security vulnerability in our audit system now.
Thank you for sharing your feedback on Endpoint Protector.
We understand your request and agree that the scenario is valid. At this time, however, the lack of SSH visibility is due to a current limitation in the protocol itself and because of this, we are unable to implement this feature for now.
That said, rest assured our team is committed to periodically revisiting this area and exploring new approaches that may allow us to provide this visibility in the future.
May I know if you had any trouble with Linux SCP? As from what I know its one of the supported exit points in the CAP policy and yet I am having issues with it in Linux and do not have any workaround to block it.
Yes, we had successfully blocked the SCP outbound on Ubuntu 22. Our issue is we would like to see the SCP destination, so we want block in destination-baed.
May we know how you configured it? We have a rocky Linux, installed on it the CentOS EPP client.
Every single exit point is blocked in our CAP policy, so SCP is included by default, all the file types and custom content added.
We created a text file in our Linux machine and added custom content to it, then tried to transfer via SCP to a Windows machine. It was successfully copied, with all the content.
Our EPP client and Server happen to be n-1 version.