Sign packages #168
Comments
|
@scunningham Could you share some thoughts on what you would like to see here? |
|
We are hoping to leverage the infrastructure being discussed in this issue: https://github.com/elastic/protections-team/issues/98 Ideally, we can hook the build processes of the agent, the endpoint, and the beats to have the sha256 of the executable securely signed. Doing this securely is non trivial. Luckily we are not the only team that needs this work done. |
|
@scunningham is this something we need for 7.9 ? |
|
To my knowledge, we are not executing any code out of the package within the context of Kibana. The risk at that tier then, is malicious configuration. The payloads that are delivered to the endpoints and executed by the agent, or installed as services and started by the system, must be signed. I don't think we can skip the signing of any code that is executable in 7.9. |
|
@scunningham Ok I will keep it for 7.9. Looking at your comment #168 (comment) Do I understand it correctly this means, when we push a package to the registry we would sign that package and possibly endpoint or beats would know how to check the signature? Is that correct? |
|
The goal is to be able to validate that we are acting upon artifacts that are published by Elastic at each tier. So, for example, we should validate the package before making the package available in the UI in Kibana, or applying configuration to indices. We should also validate to the extent we can, that the payloads are from Elastic before executing them on the endpoint. I was proposing that we sign the packages at publication time, such that Kibana can validate the signatures before interpreting the data. I would suggest signing each individual component, or instead a manifest of all components in a package, where the manifest contains sha256 hashes of each component. Now how we extend that trust down to the agent is a good question. The executables themselves, both beats and the endpoint, should already be signing by Elastic for their specific platforms. (Is that necessarily true on linux?). We could, however, use a signed manifest included in the above mentioned package, to extend the check in lieu of being dependent on platform specific signing mechanisms. The point I made above is that we could probably get away without this for 7.9 release because we already have the platform signing for windows and osx (but possibly not linux). |
ruflin
added
the
Ingest Management:beta1
|
I am going to move that to 7.10. |
ruflin
added
Team: Ingest Management
and removed
Ingest Management:beta1
|
Closing it - Duplicate here: #168 |
There should be a way to sign packages so the package manager / agent and verify it was not modified.
The text was updated successfully, but these errors were encountered: