Title
#macos
a

allister

07/15/2022, 2:08 PM
I don't recall what implementation uses e.g. the system keychain for cert storage but it's not unheard of for a custom keychain to be configured on macs and have agents access it for handshake
o

Oleg Koreev

07/15/2022, 2:34 PM
I mean, will the client try to find values for --tls_client_cert and --tls_client_key if the server requires client authentication?
a

allister

07/16/2022, 12:19 AM
The --tls_client_* flags probably refer to paths on-disk. I was under the impression that e.g. osquery does not have mTLS support, so it wouldn’t surprise me if keychain lookup code is similarly not implemented at present
Stefano Bonicatti

Stefano Bonicatti

07/16/2022, 9:09 AM
That’s correct, we only support certificate bundles on the filesystem
o

Oleg Koreev

07/18/2022, 7:06 AM
Not safe) Thank you very much, you helped a lot to save time for experiments.
a

allister

07/18/2022, 7:07 AM
Do your queries tip off attackers? Mine aren't prescriptive…
o

Oleg Koreev

07/18/2022, 7:12 AM
I am considering a scenario where most of the employees work remotely and do not want to have open interfaces on the perimeter, as there is always a vulnerability in any software. mTLS solves this problem perfectly. At the same time, the hosts already have device certificates issued by MDM, they could be used, but they are stored in the keychain.
7:13 AM
Plus, the mTLS script is also marked in the off-doc as preferred.
a

allister

07/18/2022, 7:14 AM
And SCEP is the best protocol to secure MDM behind… 😛
o

Oleg Koreev

07/18/2022, 7:14 AM
Now we need to think about issuing alternative device certificates, but this in good terms requires the deployment of SCEP.
a

allister

07/18/2022, 7:14 AM
I mean I totally agree/want mTLS. Let's fund two canoes or trail of bits or zentral and they'll build it in
7:15 AM
Otherwise there should be an issue requesting it, if so please chime in and if not please make it
7:16 AM
But the threat model is not the worsts, all things considered
7:17 AM
It's conceivably read only, and whoever's trying to intercept would be managed by/enrolled in a server you control
o

Oleg Koreev

07/18/2022, 7:18 AM
I haven't seen solutions other than Zentral, I'll take a look at them. I am currently reviewing Fleet and suggest using Nginx (or another proxy) for mTLS
7:19 AM
Do you mean that there is nothing wrong with having the certificate and key on the workstation disk?
a

allister

07/18/2022, 7:22 AM
It's about not needing an extra agent/log shipper and having osquery open the connection/send the data
7:23 AM
Making nginx speak mTLS doesn't change that osquery itself doesn't (at present - it could, it's just a Simple Matter of Code
7:23 AM
Client certs on disk are the most decentralized-ish way you can auth with no additional agent at present
o

Oleg Koreev

07/18/2022, 7:28 AM
Yes, store on disk is a valid scenario. It just creates a lot of unnecessary complexity, and what's funny, osquery is used, among other things, to keep track of certificates in the store, but it turns out it can't keep track of its own, because it's on disk) 😀