Feature request - allow authentication without a clear text password in upload balise from the local config file

[CERT-ENEDIS]

Hello,

Assuming no transparent authentication or public share is available, is it possible to implement a kind of mechanism to avoid clear text password in the upload balise in the local configuration file ?

Thank for you job

Cert-Enedis

[jgautier-anssi]

Hi, Thank you for your issue. Any mechanism we could implement would only be obfuscation which, in turn, would only create a "false sense" of security. It would create some sort of "base64 encoding of social security numbers" situation.

Having these credentials in clear text implies:

• you are very aware that this account is exposed
• you will take appropriate measures to ensure this account will have minimal privileges (i.e. focus on "write-only" permissions on the upload share and only there).

This is why transparent (i.e. SSO) authentication should always be preferred. They do really make sense when you suspect a domain admin account has been compromised. In any case, we strongly recommend that archive level encryption is used to secure dfir-orc's collected evidence.

We view these credentials as a way to avoid "null session shares" kind of scenarios but they really have nothing to do with security.

Please feel free to add/comment on why this approach is problematic in your context.

Jean

[CERT-ENEDIS]

Hello,

We understand the point, to comment our need, in our contexte we need to setup a permanent infrastructure with a "ready to deploy and collecte orc configuration" on multiples endpoints.

• We can't use transparent authentication (reasons not developped here)
• We want to keep in one opération (with orc) the execution and the upload of the archive.

At this time, we use the archive level encryption and are ready to assume the risk of a clear text password with the "minimal privileges policy" but it will be a nice to have feature to be able to authenticate without a clear text password.

Regards,

CERT ENEDIS

[jgautier-anssi]

Hi,

Regarding the need for "ready to deploy" infrastructure, may be the user account can be disabled "by default" and only enabled when needed?

We will keep in mind your requirement when we design future versions of dfir-orc.

Thank you for your feedback. Best regards, Jean Gautier