search

ddbnl / office365-audit-log-collector

Collect / retrieve Office365, AzureAD and DLP audit logs and output to PRTG, Azure Log Analytics Workspace, SQL, Graylog, Fluentd, and/or file output.
https://ddbnl.github.io/office365-audit-log-collector/
MIT License
107 stars 40 forks source link

Lacking certificate validation #2

Closed Doctor-love closed 6 years ago

Doctor-love commented 6 years ago

The HTTP(S) requests performed by the scripts have been configured to not validate the identity (certificate) of the Office365 services:

[...]
r = requests.post(auth_url, headers=headers, data=data, verify=False)
[...]

This makes the connections vulnerable to Man-In-The-Middle attacks, which could result in the exposure of access credentials and other sensitive information.

Since the scripts use the "requests" module (which supports/uses "certifi") and Office365 provides verifiable certificates, it should not be an issue to enable validation.

ddbnl commented 6 years ago

Agreed; could you check if the latest commit allows you to retrieve the audit logs securely?

Doctor-love commented 6 years ago

Seems like you have over complicated a lot of things - and you hard-code paths to your own home directory. If you would just remove "verify=False" or set it to "verify=True", that would be sufficient.

ddbnl commented 6 years ago

I incorrectly assumed you had to supply the certificate, thanks for the heads up. Updated.