https://github.com/osquery/osquery logo
Title
j

Jason

08/05/2022, 7:52 PM
Another question about Fleet Desktop. What sort of security auditing has been done on its communication with Fleet? We have Fleet behind a WAF to limit admin activities to known exit IPs, but if we want users to view their device information we'd need to also safelist the `/devices`` path.
Are we relying on the UUID in the path to be difficult to guess, or is there some other auth taking place between Fleet Desktop and the Fleet server? (thx in advance!)
k

Kathy Satterlee

08/05/2022, 8:04 PM
It is relying on the UUID. Since those are fairly unlikely to be cracked quickly, we've got things set up to rate limit the IP if there are multiple failed authentication attempts.
g

Guillaume

08/05/2022, 8:04 PM
Hi Jason! So we have rate limiting on this (just added in 4.18), it is read-only and hard to guess, so with rate limiting it’s decent, BUT, we also want to add rotation because what if it was leaked in some way (user pastes it publicly accidentally or voluntarily etc). You can check these issues about rotation of the URL - https://github.com/fleetdm/fleet/issues/6064 and https://github.com/fleetdm/fleet/issues/6348 which will be documented publicly as well - https://github.com/fleetdm/fleet/issues/6993
j

Jason

08/05/2022, 8:05 PM
wow - thanks all!
k

Kathy Satterlee

08/05/2022, 8:05 PM
That's going to continue to evolve moving forward.... and @Guillaume beat me to it.
j

Jason

08/05/2022, 8:05 PM
hopefully we can also put some WAF rules to reduce abuse as well
g

Guillaume

08/05/2022, 8:07 PM
Since it’s pretty much just a read-only page it should be possible to do so without breaking anything, even with fairly aggressive rules
j

Jason

08/05/2022, 8:08 PM
if I can just ban crawlers and known bad IPs I'm probably fine. I can see it being a decent recon tool though for some really targeted attacks
For instance, I might be able to learn the public/private IP address of your system and also know that you don't have any endpoint protection running (because you are failing that policy)
I might even know also if you aren't fully patched, etc. for a common CVE that's easy to exploit
g

Guillaume

08/06/2022, 1:39 PM
Yeah that's why the rate limiting and rotation is required in our opinion