search

google / grr

GRR Rapid Response: remote live forensics for incident response
https://grr-doc.readthedocs.io/
Apache License 2.0
4.78k stars 763 forks source link

Parameter expansion with filters (certificates) #688

Open mathieubaeumler opened 5 years ago

mathieubaeumler commented 5 years ago

Hello,

Context: brand new grr server installed from deb (ubuntu 16.04, grr 3.2.4-6), working perfectly well as is.

As we have our own pki, we would like to manage the keys/certificates ourselves. The best way to easily configure that (especially with a puppet server) would be to keep the certificates outsides the configuration using parameter expansion and filtering.

Exactly as mentioned here: https://grr-doc.readthedocs.io/en/latest/maintaining-and-tuning/configuration/filtering.html and https://grr-doc.readthedocs.io/en/latest/maintaining-and-tuning/key-management/which-keys-and-how.html#code-signing-and-ca-keys

So, for example, we have that in our configuration: CA.certificate: "%(/etc/grr/ssl/CA.certificate|file)"

And the properly formatted pem in "/etc/grr/ssl/CA.certificate"

However, doing that lead to not being able to repackage client, as it always fails with the following error:

ERROR:2019-05-08 15:34:30,004 1698 MainProcess 139806272059136 MainThread build:403] Build Config Error: CA certificate missing from config. ERROR:2019-05-08 15:34:30,014 1698 MainProcess 139806272059136 MainThread repacking:192] Repacking template /usr/share/grr-server/grr-response-templates/templates/grr_3.2.4.6_i386.deb.zip failed:

Is there by any chance something we missed in hte configuration or is this by design?

Regards

ogarod commented 5 years ago

As far as I can see, repacking clients when the CA certificate is not directly specified in the server's writeback file has never really worked (thanks for bringing this to our attention ;) ). The error message you are getting is because of a check in GRR code that seeks to ensure that the CA certificate copied to client configs is valid. The check does not anticipate having to load another file in order to obtain the certificate.

Out of curiosity, do you also want to separate the certificates from GRR client configs (so you can update certificates yourself without redeploying clients), or would you like to copy the server's certificate into client configs during repacking?

mathieubaeumler commented 5 years ago

Ah, that figures. Well, basically, we "just" would like to have the most static configuration files as possible. Two reasons for that, first with orchestration tools it will be easier to manage (puppet). Then going further, it would be indeed nice to have the ability to deploy the certificate without having to repack/deploy the clients. Thanks for your input anyway :)