Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
allister
07/15/2022, 2:08 PMI don't recall what implementation uses e.g. the system keychain for cert storage but it's not unheard of for a custom keychain to be configured on macs and have agents access it for handshake
o
Oleg Koreev
07/15/2022, 2:34 PMI mean, will the client try to find values for --tls_client_cert and --tls_client_key if the server requires client authentication?
a
allister
07/16/2022, 12:19 AMThe --tls_client_* flags probably refer to paths on-disk. I was under the impression that e.g. osquery does not have mTLS support, so it wouldn’t surprise me if keychain lookup code is similarly not implemented at present
s
Stefano Bonicatti
07/16/2022, 9:09 AMThat’s correct, we only support certificate bundles on the filesystem
o
Oleg Koreev
07/18/2022, 7:06 AMNot safe) Thank you very much, you helped a lot to save time for experiments.
a
allister
07/18/2022, 7:07 AMDo your queries tip off attackers? Mine aren't prescriptive…
o
Oleg Koreev
07/18/2022, 7:12 AMI am considering a scenario where most of the employees work remotely and do not want to have open interfaces on the perimeter, as there is always a vulnerability in any software. mTLS solves this problem perfectly. At the same time, the hosts already have device certificates issued by MDM, they could be used, but they are stored in the keychain.
Plus, the mTLS script is also marked in the off-doc as preferred.
a
allister
07/18/2022, 7:14 AMAnd SCEP is the best protocol to secure MDM behind… 😛
o
Oleg Koreev
07/18/2022, 7:14 AMNow we need to think about issuing alternative device certificates, but this in good terms requires the deployment of SCEP.
a
allister
07/18/2022, 7:14 AMI mean I totally agree/want mTLS. Let's fund two canoes or trail of bits or zentral and they'll build it in
Otherwise there should be an issue requesting it, if so please chime in and if not please make it
But the threat model is not the worsts, all things considered
It's conceivably read only, and whoever's trying to intercept would be managed by/enrolled in a server you control
o
Oleg Koreev
07/18/2022, 7:18 AMI haven't seen solutions other than Zentral, I'll take a look at them. I am currently reviewing Fleet and suggest using Nginx (or another proxy) for mTLS
Do you mean that there is nothing wrong with having the certificate and key on the workstation disk?
a
allister
07/18/2022, 7:22 AMIt's about not needing an extra agent/log shipper and having osquery open the connection/send the data
Making nginx speak mTLS doesn't change that osquery itself doesn't (at present - it could, it's just a Simple Matter of Code
Client certs on disk are the most decentralized-ish way you can auth with no additional agent at present
o
Oleg Koreev
07/18/2022, 7:28 AMYes, store on disk is a valid scenario. It just creates a lot of unnecessary complexity, and what's funny, osquery is used, among other things, to keep track of certificates in the store, but it turns out it can't keep track of its own, because it's on disk) 😀