a few more cents to dump on this. We've begun working on a slightly different approach, which requires that X machine has checked in within the last Y minutes via osquery and that a, b, c, d checks have passed. This relies on certain scheduled queries data being available from our backend logging systems, but avoid the issue of needed to get a "live" response back from live queries. I feel like the time window we work within (usually 5-10 minutes) provides "enough" guarantee on the identity of the laptop, combined with the device cert, to give a high level of confidence to the access request
05/09/2018, 6:01 AM
@clippy Can you clarify this?
I'm wondering what is being issued/granted if those checks pass. And what you can say about the mechanism.
05/09/2018, 7:19 AM
@seph it can be any number of things. Of particular interest to me is gating ssh access to sensitive resources. So the flow involves some automated checks like the ones mentioned, in addition to ssh key +mfa. If any checks fail, access gets denied
Something I'm trying to focus more and more on is not treating an access request as un + pw + mfa, but also the context provided by the attributes of the request. Device Id, patch level, location, threat Intel, etc. Combination of such things results in a score that a given request must exceed in order for it to be allowed
05/09/2018, 2:39 PM
@clippy I really like where you're pushing this.
I may not be asking the right question. What's the implementation of the check? Is it server side? Is it pushing some kind of cert to the client that gets coupled with the access reqyest?
05/09/2018, 7:00 PM
@seph ah, I think (hope?) I see what you're driving at. In the case of ssh auth, its a custom module that makes an API call back to our backend which does the checks and then passes back an allow/deny
for other things, like an API auth request, the laptop ID, cert, etc are bundled as part of teh user "identity" which is passed to the auth system (which in turn calls that same API used for ssh)
API all the things
05/09/2018, 7:14 PM
That's what I was asking, yeah.
So there's some osquery/fleet manager/api which various things (like ssh or pam) would hit.
Seems like a neat model. Thanks for explaining it
05/09/2018, 7:34 PM
No worries. Its not really a secret or anything. The backend that makes most of the assessments is just an ELK stack with some customer queries. Aggregate all results from the queries and create the answer. We use aws lambda, but it can really be whatever you want
05/09/2018, 7:36 PM
I wonder if there's any standards work around this. It seems like a really interesting corner