Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
Jason
08/05/2022, 7:52 PMAnother question about Fleet Desktop. What sort of security auditing has been done on its communication with Fleet? We have Fleet behind a WAF to limit admin activities to known exit IPs, but if we want users to view their device information we'd need to also safelist the `/devices`` path.
Are we relying on the UUID in the path to be difficult to guess, or is there some other auth taking place between Fleet Desktop and the Fleet server? (thx in advance!)
k
Kathy Satterlee
08/05/2022, 8:04 PMIt is relying on the UUID. Since those are fairly unlikely to be cracked quickly, we've got things set up to rate limit the IP if there are multiple failed authentication attempts.
g
Guillaume
08/05/2022, 8:04 PMHi Jason!
So we have rate limiting on this (just added in 4.18), it is read-only and hard to guess, so with rate limiting it’s decent, BUT, we also want to add rotation because what if it was leaked in some way (user pastes it publicly accidentally or voluntarily etc).
You can check these issues about rotation of the URL - https://github.com/fleetdm/fleet/issues/6064 and https://github.com/fleetdm/fleet/issues/6348 which will be documented publicly as well - https://github.com/fleetdm/fleet/issues/6993
j
Jason
08/05/2022, 8:05 PMwow - thanks all!
k
Kathy Satterlee
08/05/2022, 8:05 PMThat's going to continue to evolve moving forward.... and @Guillaume beat me to it.
j
Jason
08/05/2022, 8:05 PMhopefully we can also put some WAF rules to reduce abuse as well
g
Guillaume
08/05/2022, 8:07 PMSince it’s pretty much just a read-only page it should be possible to do so without breaking anything, even with fairly aggressive rules
j
Jason
08/05/2022, 8:08 PMif I can just ban crawlers and known bad IPs I'm probably fine. I can see it being a decent recon tool though for some really targeted attacks
For instance, I might be able to learn the public/private IP address of your system and also know that you don't have any endpoint protection running (because you are failing that policy)
I might even know also if you aren't fully patched, etc. for a common CVE that's easy to exploit
g
Guillaume
08/06/2022, 1:39 PMYeah that's why the rate limiting and rotation is required in our opinion