Open FocusedPanda opened 1 year ago
Hello,
I have the same problem in a docker environment v5.5.2 (16GB Ram - 6 vCPU - 50GO disk) with the misp-feed connector when i assign the built-in collector role in opencti, I try to give it more rights but it doesn't work (see pic ofr rights). The connector works well when it has the "Bypass all capabilities" right, does the misp-feed connector need to have admin rights to work or am I missing something ?
Thanks by advance
Confirmed.
I created a new user role that included the 'Bypass all capabilities' capability selected. (With that selected, I'm not sure if any of the other capabilities matter)
I updated my [C] OpenCTI user with the new role that contains, 'Bypass all capabilities'.
I cleared all works from the OpenCTI Connector, and reset the connector state.
Once the OpenCTI connector re-ran, data was successfully being ingested.
This would lead me to believe that their is a capability missing from the role definitions, that allows writing of data from certain connectors.
Connectors that I've found this issue with:
Hello thanks for the answer and for the tip with the clear jobs and reset connector state. The right "Bypass all capabilities" is the right given to the Admin role, so we are giving an admin right to a connector. I hope another solution will be found in the future.
Can confirm that I've also been experiencing this issue with the AlienVault connector. After some lengthy (and frustrating) troubleshooting, I concluded that the only way to resolve the errors was to permit Bypass all capabilities
. However, being that this capability is overly permissive, I searched the GitHub repo, and came across this open issue.
Getting the same error on all active connectors (add MISP to those mentioned above). OpenCTI has become unusable (docker test setup on a 16 GB RAM server). I thought this extreme load was caused by a retention policy deleting eveything older than 70 days that triggered in the same days we updated to 5.5.2, but it's apparently not the right culprit.
I've also found that Bypass all capabilities
is required for most connectors to function. This is definitely a bug as I should be able to create a connector role with the appropriate least permissions instead.
The API is affected by the same problem, i can't access my observables and crawl them from the API if the account used for it does not have the "Bypass all acapbilities" right.
This is a big issue, maybe someone of the OpenCTI team could take a look to this problem. @SamuelHassine , sorry for tagging you directly but I think it's kind of a big issue.
I wanted to take a moment to follow up here. I recently upgraded OpenCTI to the latest version -- which at the time of this writing is 5.7.3
.
After all of the latest Docker images were pulled and everything came online, I modified the Connector
role and removed the Bypass all capabilities
scope from the permissions. I then triggered a re-run on all connectors. So far, any connectors that have run, pulled data, and written data to OpenCTI have not thrown any errors.
I documented my upgrade procedure here. I would like to see if anyone else who has commented or comes across this issue to try and upgrade their OpenCTI stack and see if your connectors can run without the overly permissive scope.
Hello, I just tested the version 5.7.3 on docker with 2 connectors: MISP-FEED and MITRE. With using the default Connector group and role, I have no permission-based error. The default Connector does not have "Bypass all capabilities" right. I will try other connectors, but the first check seems good.
@tialocRT I think this is fixed for me in 5.7. Did you confirm also?
Hello, @GraemeMeyerGT I had no problem with the default Connector role since the 5.7.X release, it seems good yeah
@FocusedPanda propose closing this issue now unless you are still experiencing
@SamuelHassine can you please consider closing this issue in lieu of the original reporter? It appears to have been resolved quite some time ago.
Description
Update 2023-01-17 - It appears that the default connector role does not provide enough privilege for some connectors to work properly. Issues with connectors ingesting data can be worked around by setting up a new role containing the "Bypass all capabilities" privilege checked. This is not ideal.
I have setup the OpenCTI Datasets connector; I am able to see the Connector performing work in OpenCTI, as well as the sessions for the connector user. However, none of the sectors of geographies are being ingested into OpenCTI.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
It is expected that the Locations -> Regions, Countries, and Cities sections in OpenCTI will be populated with data from https://raw.githubusercontent.com/OpenCTI-Platform/datasets/master/data/geography.json, and that Entities -> Sectors would be populated with data from https://raw.githubusercontent.com/OpenCTI-Platform/datasets/master/data/sectors.json.
Actual Output
Additional information
When I checked the Elastic logs, I see the a log entry with the following error:
That same log entry also had
OpenCTI Docker Configuration
OpenCTI Datasets Connector Configuration
Screenshots (optional)