Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password Protected Fleet Keystore for Sensitive Credentials #3222

Open
Lokey92 opened this issue Jan 9, 2024 · 0 comments
Open

Password Protected Fleet Keystore for Sensitive Credentials #3222

Lokey92 opened this issue Jan 9, 2024 · 0 comments
Assignees
@caitlinbetz
Labels
Team:Fleet Label for the Fleet team

Comments

@Lokey92
Copy link

Lokey92 commented Jan 9, 2024

Describe the enhancement:
A more secure way to store sensitive credentials for enrollment purposes that can be utilized in an Ansible playbook (capable of automation).

Describe a specific use case for the enhancement or feature:
There's a common gotcha point when it comes to hardening in regards to exposed sensitive credentials. It's a potential blocking point if it can’t pass the security checks. While we are a ways out towards deploying with Fleet in production

The current process of Fleet enrollment with tls/ssl enabled involves a command that's like this:

elastic-agent enroll --force \
--url=https://fleethost.example.com:8220/ \
--fleet-server-es=https://eshost.example.com:9200/ \
--fleet-server-service-token=AAEAAWVsYXN0a2VAWERva2VuLTE2OTY4NzA3MDI4Njk6MGR0UXg2bXlROGlpQjNCOGR2ZHNjUQ \
--fleet-server-policy=fleet-server-policy \
--certificate-authorities=/etc/elastic-agent/example-cert-chain.pem \
--fleet-server-es-ca=/etc/elastic-agent/example-es-cert.crt \
--fleet-server-cert=/etc/elastic-agent/example-host-cert.crt \
--fleet-server-cert-key=/etc/elastic-agent/example-host-private-key.pem \
--fleet-server-cert-key-passphrase=/etc/elastic-agent/keypass \
--tag=fleet-host

The main point of concern is the passphrase is stored in a plaintext file.

--fleet-server-cert-key=/etc/elastic-agent/example-host-private-key.pem \
--fleet-server-cert-key-passphrase=/etc/elastic-agent/keypass

We are following the documented steps to secure it as a file within /etc/elastic-agent/ but would like to see the possibility of storing sensitive credentials similar to the elasticsearch keystore.

What is the definition of done?
The method of storing a private key password meets the criteria of OS & application hardening per STIGs

https://www.stigviewer.com/stig/general_purpose_operating_system_security_requirements_guide/2023-05-17/finding/V-203630
https://www.stigviewer.com/stig/general_purpose_operating_system_security_requirements_guide/2023-05-17/finding/V-203629
https://www.stigviewer.com/stig/application_security_requirements_guide/2011-12-28/finding/V-26924
https://www.stigviewer.com/stig/application_security_requirements_guide/2011-12-28/finding/V-26923
https://www.stigviewer.com/stig/application_security_and_development/2017-01-09/finding/V-70157
@cmacknz cmacknz transferred this issue from elastic/elastic-agent Jan 12, 2024
@cmacknz cmacknz added the Team:Fleet Label for the Fleet team label Jan 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@caitlinbetz caitlinbetz

Labels
Team:Fleet Label for the Fleet team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cmacknz @caitlinbetz @Lokey92