Endpoint Discovery — Linux passwd + SSH authorized_keys
A partir da v4.6, o CipherVault Guardian estende capabilities
além de K8s pra descoberta de endpoints Linux (servidores standalone,
VMs, bare-metal): inventário de accounts em /etc/passwd e chaves SSH
em authorized_keys.
Permite correlacionar workload identity humano (login local) com vault membership e detectar drift entre "quem tem chave SSH na máquina" vs "quem está autorizado pelo CV".
Cobertura — Phase 1
| Source | O que coleta |
|---|---|
/etc/passwd | Usuários locais (uid, gid, shell, home) — exclui nologin/false shells |
/root/.ssh/authorized_keys + ~/.ssh/authorized_keys | Public keys + comment + key type (ssh-ed25519, ssh-rsa, etc.) |
Phase 2+ (roadmap):
- Windows local accounts via
net user/ Registry - macOS
dscl - Application-level accounts (Postgres roles, MySQL users) via dynamic backends cross-ref
- IAM roles em hosts cloud
Arquitetura
Mesmo cv-guardian agent já em uso pra K8s. Quando deployado em host
Linux standalone (systemd unit), roda:
┌─────────────────────────────────┐
│ host (Linux) │
│ │
│ cv-guardian (systemd) │
│ ↓ ler /etc/passwd │
│ ↓ ler authorized_keys files │
│ │
│ POST /kube-guardian/endpoint-accounts │
│ (X-Cluster-Token auth) │
└─────────────────────────────────┘
│
▼
┌────────────────────┐
│ CipherVault │
│ │
│ endpoint_accounts │
│ ├── ingest │
│ ├── dedupe │
│ └── correlate │
└────────────────────┘
Endpoint do agent (auth X-Cluster-Token)
POST /kube-guardian/endpoint-accounts
body: {
"host_id": "host_01HXY...",
"scanned_at": "2026-05-22T10:00:00Z",
"accounts": [
{
"username": "deploy",
"uid": 1001,
"shell": "/bin/bash",
"ssh_keys": [
{ "type": "ssh-ed25519", "fingerprint_sha256": "...", "comment": "alice@laptop" }
]
}
]
}
Endpoints admin (JWT)
GET /endpoint-discovery/accounts List + filter (host, username, key_type)
GET /endpoint-discovery/accounts/:id Detail com SSH key fingerprints
GET /endpoint-discovery/stats 4 counters (hosts scanned, accounts, ssh keys, drift)
UI
Página /EndpointDiscovery (v4.7):
- 4 stat cards (hosts, accounts, ssh keys, accounts sem vault binding)
- Filterable table (host, username, scanned_at, shell, key types)
- Detail modal com SSH fingerprints
Drift detection
Cross-ref com vault_members:
- ⚠️ Account local com SSH key mas sem vault membership correspondente → potential ghost access
- ⚠️ Vault member ativo mas sem SSH key em hosts production → can't deploy
- ⚠️ Key SSH com comment matching ex-employee + still authorized
Drift alerts batched diariamente, opt-in via env CV_ENDPOINT_DRIFT_NOTIFY=true.
Install no host
# systemd unit (sem K8s)
cat > /etc/systemd/system/cv-guardian.service <<EOF
[Unit]
Description=CipherVault Guardian agent (endpoint discovery)
After=network.target
[Service]
Environment="CV_URL=https://cv.acme.com.br"
Environment="CV_CLUSTER_ID=host_01HXY..."
Environment="CV_CLUSTER_TOKEN_FILE=/etc/cv-guardian/token"
Environment="CV_GUARDIAN_MODE=endpoint"
ExecStart=/usr/local/bin/cv-guardian
Restart=on-failure
User=cv-guardian
[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now cv-guardian
CV_GUARDIAN_MODE=endpoint skipa K8s API queries e ativa endpoint
collectors.
Limitações Phase 1
- Read-only — só descoberta, não rotaciona / revoga chaves
- Linux only — Windows/macOS roadmap
- /etc/passwd local apenas — não cobre LDAP/AD federation (use LDAP engine separadamente)
- No PAM cross-ref — não verifica
pam_access.confou similares
Referências
cv-guardian/internal/discovery/endpoint.gono repo do produto- Guardian docs — agent base
- Blog post v4.6