Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Winlogbeat configuration prone to Man-in-the-Middle attacks #58

Open
cr-secion opened this issue Apr 13, 2022 · 0 comments
Open

Winlogbeat configuration prone to Man-in-the-Middle attacks #58

cr-secion opened this issue Apr 13, 2022 · 0 comments

Comments

@cr-secion
Copy link

cr-secion commented Apr 13, 2022
edited
Loading

The agent installation script install-sysmon-beats.ps1 sets a winlogbeat configuration on the client that renders the TLS encryption useless, making the communication between client/agent and espy server prone to MitM. This is caused by the following configuration segment:

  ssl:
    enabled: true
    verification_mode: none

The obvious way to solve this would be to set verification_mode to full or strict and install a properly signed server certificate to the espy server, but this may not be possible in every environment and would also require manual installation procedures for every espy server, so it does not scale very well.

Proposed Solution

I will detail an alternative approach, that I've successfully implemented in a prototype shellscript (that got a little ugly). TL;DR is that I use a local CA on the espy server and bake the corresponding cert into a install-sysmon-beats.ps1 and enable client cert auth as a bonus. This means, that I actually generate a custom powershell-installer ON the espy server, that afterwards can get deployed to the Windows clients.

  1. If not present, generate a CA cert and key in /etc/espy/certificates/ca/ca.{crt,key}
  2. If not present, use the CA to generate a servercert and key in /etc/espy/certificates/redis.{crt,key}
  3. If not present, use the CA to generate a client cert and key in /etc/espy/certificates/client.{crt,key,pass}
  4. In /etc/espy/redis.conf, set tls-cert-file, tls-key-file to the corresponding paths
  5. In /etc/espy/redis.conf, set ca-cert-file /etc/espy/certificates/ca/ca.crt and tls-auth-clients yes
  6. Put the CA cert, the client cert+key+pass into install-sysmon-beats.ps1 and set verification_mode to certificate in the winlogbeat config.

verification_mode: certificate only verifies that the signature is from a trusted CA, but ignores the hostname/FQDN (so it works regardless of IP, hostname or FQDN is used to communicate with the redis service). Note that the certificate mode requires a more recent winlogbeat version than the one currently downloaded from the script, as I pointed out in #36.
The corresponding new ssl section in the redis config looks like the following (this is from my ps1-installer-template, therefore REPLACE_whatnot would get filled in by the shellscript):

  ssl:
    enabled: true
    supported_protocols: [TLSv1.3]
    verification_mode: certificate
    certificate_authorities:
      - |
REPLACE_CACERT
    certificate: |
REPLACE_CLIENTCERT
    key: |
REPLACE_CLIENTKEY
    key_passphrase: `"`${CLIENTKEY_PASSWORD}`"

Obviously step 3 and 5 are optional as they implement additional client certificate checks. This is useful especially if the redis port gets exposed to the internet, as only configured clients are able to establish a TLS connection, which reduces the attack surface.

Cheers
Clemens
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cr-secion