Support encrypted credentials

Question

Support encrypted credentials

Closed this issue 4 years ago · 3 comments

gemgit7 commented 4 years ago

Describe the problem

The configuration file currently requires credentials in plaintext.

Proposed solution

Use a crypto (consider Fed customers) to encrypt/decrypt sensitive credentials stored in the configuration file.

Checkmarx manager account
Database user account
SMTP account

Additional details

This is in reference to the following sections of the configuration file:
`

"cx": {
"host": "http://localhost",
"username": "admin@cx",
"password": "PLAIN_TEXT",
"db": {
"instance": "localhost\SQLExpress",
"username": "dbaccount",
"password": "PLAIN_TEXT"
}
},
and
"smtp": [
{
"systemType": "smtp",
"name": "Email",
"host": "smtp.mailserver.com",
"port": 587,
"user": "someuser@mailserver.com",
"password": "PLAIN_TEXT",
"sender": "admin@mailserver.com",
"recipients": "list@of.com, email@addresses.com",
"subject": "Checkmarx Health Monitor Alert",
"useSsl": true
}
],
`

Answer 1 · 2020-04-15T03:47:43.000Z

I've sketched out a way to do this in a field patch that leans on the windows data protection API as the trust root. This allows you to encrypt data like password strings in a way that is bound to the user account and machine you encrypted it on. So...

Create a helper script that prompts for password plain text, encrypts via windows data protection api, and returns the cipher text
Store the cipher text in the password fields of the config file
Patch the health check script to attempt to decrypt the password values via Windows api - if successful then you were dealing with an encrypted value and you can now use the plain text in the script

For this to work the overwatch script must be run by the user who encrypts the password in step 1.

Answer 2 · 2020-04-30T10:58:33.000Z

Why not use Windows Credential Manager to save the passwords?
https://gallery.technet.microsoft.com/scriptcenter/Accessing-Windows-7210ae91

They need to be saved into the same user context as that you are running Checkmarx services under. You can use a Microsoft tool to achieve this (https://docs.microsoft.com/en-gb/sysinternals/downloads/psexec).

I use it in the CxReporting Collector (C#) and have the following targets:

com.checkmarx.arm
com.checkmarx.sast
com.checkmarx.odata
com.checkmarx.smtp

e.g.
To save the passwords, do the following:
psexec -i -u "nt authority\network service" cmd.exe

For the CxSAST password within the terminal:
cmdkey /generic:"com.checkmarx.sast" /user:"{CxSAST username}" /pass:"{CxSAST password}"

For the CxSAST OData password within the terminal:
cmdkey /generic:"com.checkmarx.odata" /user:"{CxSAST username}" /pass:"{CxSAST password}"

For the SMTP password within the terminal:
cmdkey /generic:"com.checkmarx.smtp" /user:"{smtp username}" /pass:"{smtp password}"

You could always add the username as a separate lookup if needed even more secure.

Answer 3 · 2020-09-03T15:14:03.000Z

Closing the issue, since the support for Credential Manager has been added.