search

f5devcentral / f5-security-hub-extension

An iControl LX Extension for publishing ASM logs to AWS Security Hub
MIT License
0 stars 0 forks source link

refreshtoken interval #2

Open tkam8 opened 5 years ago

tkam8 commented 5 years ago
ISSUE TYPE
VERSION
f5-securityhub-0.9.3-1.noarch.rpm
BIGIP VERSION
# tmsh show sys ver

Sys::Version
Main Package
  Product     BIG-IP
  Version     14.1.0.3
  Build       0.0.6
  Edition     Point Release 3
  Date        Mon Mar 25 17:15:27 PDT 2019
SUMMARY

Some of my logs fail to be sent to Security Hub. Checking the restnoded logs, I see that the token is expired.

Ideally, refreshtoken interval needs to be shorter than the expiry time. What is the expected token validity duration? Logs are below.

EXPECTED RESULTS

no error when sending logs to security hub

ACTUAL RESULTS

Error "The security token included in the request is expired" when trying to send logs to Security hub. Looks like startTokenRefresh is set to 8 hours.

cat /var/log/restnoded/restnoded.log | grep -i token

Sun, 26 May 2019 23:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Sun, 26 May 2019 23:32:41 GMT - fine: Security Token Fetched
Sun, 26 May 2019 23:51:28 GMT - fine: [SecurityHub] Renewing AWS Token
Sun, 26 May 2019 23:51:28 GMT - fine: Security Token Fetched
Mon, 27 May 2019 05:50:26 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:50:49 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:51:39 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:52:49 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 07:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 07:32:41 GMT - fine: Security Token Fetched
Mon, 27 May 2019 15:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 15:32:41 GMT - fine: Security Token Fetched
Mon, 27 May 2019 23:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 23:32:41 GMT - fine: Security Token Fetched

aws iam get-role --role-name BIGIPSecurityHubRole

{
    "Role": {
        "Description": "Allows EC2 instances to call AWS services on your behalf.", 
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Effect": "Allow", 
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        }, 
        "MaxSessionDuration": 3600, 
        "RoleId": "AAA", 
        "CreateDate": "2019-04-22T04:26:24Z", 
        "RoleName": "BIGIPSecurityHubRole", 
        "Path": "/", 
        "Arn": "arn:aws:iam::##:role/BIGIPSecurityHubRole"
    }
}

The session duration is set to default 1 hr. However, when I grab the creds, expiration is about 6 hrs after lastupdated....not sure why but 8 hrs interval for refreshtoken will likely result in some expired token errors. Some options are to extend the session duration to be 12hrs or try making the refreshtoken interval shorter.

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/BIGIPSecurityHubRole

{
  "Code" : "Success",
  "LastUpdated" : "2019-05-28T02:12:02Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "AAA",
  "SecretAccessKey" : "XXX",
  "Token" : "XXX",
  "Expiration" : "2019-05-28T08:33:22Z"
tkam8 commented 5 years ago

BTW, bigstart restart restnoded is the workaround to re-initiate the plugin