search

cisagov / LME

Logging Made Easy (LME) is a no-cost and open logging and protective monitoring solution serving all organizations.
https://www.cisa.gov/resources-tools/services/logging-made-easy
Other
840 stars 66 forks source link

Encrypted Service Password #352

Closed safiuddinr closed 2 weeks ago

safiuddinr commented 3 months ago

Here we need to ensure passwords are encrypted at rest

for this we'll be using a combination of ansible-vault and podman-secrets

utilizing an shell driver for the podman secret: https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html

mreeve-snl commented 2 months ago

so theres probably a few fancier ways we can do this, but this honestly seems the simplest.... We setup the ansible password and the way to access it via environment variables:

set_password_script:

#!/bin/bash
read -s -p "ANSIBLE_VAULT_PASSWORD:" LME_ANSIBLE_VAULT_PASS
export LME_ANSIBLE_VAULT_PASS=$LME_ANSIBLE_VAULT_PASS

#TODO: add checks for these filepaths existing
#set password file ansible-vault variable
export ANSIBLE_VAULT_PASSWORD_FILE=/opt/lme/config/vault-pass.sh

This sets up the password as an environment variable AND the vault file variable, so ansible-vault knows where to pull the vault file.

We can now store any given lme-user and lme-service-user password in the following directory paths: 

. set_password_script.sh
USER_X=elastic
bash -c "read -s "$USER_X"; echo $"$USER_X" > /opt/lme/vault/$USER_X; ansible-vault encrypt /opt/lme/vault/$USER_X"

we'll probably need to make sure we back this up somehow so people can recover, but I think this seems pretty smooth

mreeve-snl commented 2 months ago

so using that as a baseline, I think this should work with podman secrets: 

[secrets]
driver = "shell"

[secrets.opts]
list = "ls /opt/lme/vault/"
lookup = "ansible-vault view /opt/lme/vault/$SECRET_ID"
store = "cat > /opt/lme/vault/$SECRET_ID; ansible-vault encrypt /opt/lme/vault/$SECRET_ID"
delete = "rm /opt/lme/vault/$SECRET_ID"

to store and update passwords as needed... now we just have to automate this

mreeve-snl commented 2 months ago

I think for this task we'll also want to add a "security/threat model" for LME, so its clear what sort of attacks we care about for this.

From what I'm thinking, the master password shouldn't be able to be accessed if any LME service is compromised. To mitigate this, I think we should store the master password in a seperate user space from the lme services.

Therefore, if we have lme.service run as a different user (i.e. lme), we can have lme.service be a quadlet under the regular user, that spawns all the other quadlets as the lme user...