From c3aa90fe2789ad8eedeeb7fa58088c6919a468f3 Mon Sep 17 00:00:00 2001 From: Kent 'picat' Gruber Date: Thu, 5 Nov 2020 16:41:15 -0500 Subject: [PATCH] Fix sublist format for client agent threats --- .../docs/security/security-models/core.mdx | 47 +++++++++++++------ 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/website/pages/docs/security/security-models/core.mdx b/website/pages/docs/security/security-models/core.mdx index 1c9e6251f..d09c983dd 100644 --- a/website/pages/docs/security/security-models/core.mdx +++ b/website/pages/docs/security/security-models/core.mdx @@ -27,8 +27,8 @@ environment, but the general mechanisms for a secure Consul deployment revolve a [authentication methods](/docs/security/acl/auth-methods) can be used to enable trusted external parties to authorize ACL token creation. -- **Namespaces (Enterprise Only)** - Read and write operations can be scoped to a logical name to restrict access to - Consul components within a multi-tenant environment. +- **Namespaces (Enterprise Only)** - Read and write operations can be scoped to a logical namespace to restrict access + to Consul components within a multi-tenant environment. - **Sentinel Policies (Enterprise Only)** - Sentinel policies enable policy-as-code for granular control over the built-in key-value store. @@ -177,9 +177,9 @@ environment and adapt these configurations accordingly. - [`encrypt_verify_outgoing`](/docs/agent/options#encrypt_verify_outgoing) - By default this is true to enforce encryption on *outgoing* gossip communications. -- **Namespaces (Enterprise Only)** - Read and write operations should be scoped to logical names to restrict access to - Consul components within a multi-tenant environment. Furthermore, this feature can be used to enable a self-service - approach to Consul ACL administration for teams within a scoped namespace. +- **Namespaces (Enterprise Only)** - Read and write operations should be scoped to logical namespaces to restrict access + to Consul components within a multi-tenant environment. Furthermore, this feature can be used to enable a self-service + approach to Consul ACL administration for teams within a scoped namespace. - **Sentinel Policies (Enterprise Only)** - Sentinel policies allow for granular control over the builtin key-value store. @@ -330,17 +330,36 @@ The following are not part of the threat model for server agents: Connect TLS certificates should be considered compromised; they are never persisted by server agents but do exist in-memory during at least the duration of a Sign request. - The following are not part of the threat model for client agents: +The following are not part of the threat model for client agents: - Access (read or write) to the Consul data directory - Consul clients will use the data directory to cache local state. This includes local services, associated ACL tokens, Connect TLS certificates, and more. Read or write access to this directory will allow an attacker to access this data. This data is typically a smaller subset of the full data of the cluster. +- **Access (read or write) to the Consul data directory** - Consul clients will use the data directory to cache local + state. This includes local services, associated ACL tokens, Connect TLS certificates, and more. Read or write access + to this directory will allow an attacker to access this data. This data is typically a smaller subset of the full data + of the cluster. - Access (read or write) to the Consul configuration directory - Consul client configuration files contain the address and port information of services, default ACL tokens for the agent, and more. Access to Consul configuration could enable an attacker to change the port of a service to a malicious port, register new services, and more. Further, some service definitions have ACL tokens attached that could be used cluster-wide to impersonate that service. An attacker cannot change cluster-wide configurations such as disabling the ACL system. - - Memory access to a running Consul client agent - The blast radius of this is much smaller than a server agent but the confidentiality of a subset of data can still be compromised. Particularly, any data requested against the agent's API including services, KV, and Connect information may be compromised. If a particular set of data on the server was never requested by the agent, it never enters the agent's memory since replication only exists between servers. An attacker could also potentially extract ACL tokens used for service registration on this agent, since the tokens must be stored in-memory alongside the registered service. - - Network access to a local Connect proxy or service - Communications between a service and a Connect-aware proxy are generally unencrypted and must happen over a trusted network. This is typically a loopback device. This requires that other processes on the same machine are trusted, or more complex isolation mechanisms are used such as network namespaces. This also requires that external processes cannot communicate to the Connect service or proxy (except on the inbound port). Therefore, non-native Connect applications should only bind to non-public addresses. - - Improperly Implemented Connect proxy or service - A Connect proxy or natively integrated service must correctly serve a valid leaf certificate, verify the inbound TLS client certificate, and call the Consul agent-local authorized endpoint. If any of this isn't performed correctly, the proxy or service may allow unauthenticated or unauthorized connections. +- **Access (read or write) to the Consul configuration directory** - Consul client configuration files contain the + address and port information of services, default ACL tokens for the agent, and more. Access to Consul configuration + could enable an attacker to change the port of a service to a malicious port, register new services, and more. + Further, some service definitions have ACL tokens attached that could be used cluster-wide to impersonate that + service. An attacker cannot change cluster-wide configurations such as disabling the ACL system. + +- **Memory access to a running Consul client agent** - The blast radius of this is much smaller than a server agent but + the confidentiality of a subset of data can still be compromised. Particularly, any data requested against the agent's + API including services, KV, and Connect information may be compromised. If a particular set of data on the server was + never requested by the agent, it never enters the agent's memory since replication only exists between servers. An + attacker could also potentially extract ACL tokens used for service registration on this agent, since the tokens must + be stored in-memory alongside the registered service. + +- **Network access to a local Connect proxy or service** - Communications between a service and a Connect-aware proxy + are generally unencrypted and must happen over a trusted network. This is typically a loopback device. This requires + that other processes on the same machine are trusted, or more complex isolation mechanisms are used such as network + namespaces. This also requires that external processes cannot communicate to the Connect service or proxy (except on + the inbound port). Therefore, non-native Connect applications should only bind to non-public addresses. + +- **Improperly Implemented Connect proxy or service** - A Connect proxy or natively integrated service must correctly + serve a valid leaf certificate, verify the inbound TLS client certificate, and call the Consul agent-local authorized + endpoint. If any of this isn't performed correctly, the proxy or service may allow unauthenticated or unauthorized + connections. #### Internal Threats