elastic/fleet-server

Password Protected Fleet Keystore for Sensitive Credentials

Lokey92 opened this issue · 0 comments

Lokey92 commented

Describe the enhancement:
A more secure way to store sensitive credentials for enrollment purposes that can be utilized in an Ansible playbook (capable of automation).

Describe a specific use case for the enhancement or feature:
There's a common gotcha point when it comes to hardening in regards to exposed sensitive credentials. It's a potential blocking point if it can’t pass the security checks. While we are a ways out towards deploying with Fleet in production

The current process of Fleet enrollment with tls/ssl enabled involves a command that's like this:

elastic-agent enroll --force \
--url=https://fleethost.example.com:8220/ \
--fleet-server-es=https://eshost.example.com:9200/ \
--fleet-server-service-token=AAEAAWVsYXN0a2VAWERva2VuLTE2OTY4NzA3MDI4Njk6MGR0UXg2bXlROGlpQjNCOGR2ZHNjUQ \
--fleet-server-policy=fleet-server-policy \
--certificate-authorities=/etc/elastic-agent/example-cert-chain.pem \
--fleet-server-es-ca=/etc/elastic-agent/example-es-cert.crt \
--fleet-server-cert=/etc/elastic-agent/example-host-cert.crt \
--fleet-server-cert-key=/etc/elastic-agent/example-host-private-key.pem \
--fleet-server-cert-key-passphrase=/etc/elastic-agent/keypass \
--tag=fleet-host

The main point of concern is the passphrase is stored in a plaintext file.

--fleet-server-cert-key=/etc/elastic-agent/example-host-private-key.pem \
--fleet-server-cert-key-passphrase=/etc/elastic-agent/keypass

We are following the documented steps to secure it as a file within /etc/elastic-agent/ but would like to see the possibility of storing sensitive credentials similar to the elasticsearch keystore.

What is the definition of done?
The method of storing a private key password meets the criteria of OS & application hardening per STIGs

https://www.stigviewer.com/stig/general_purpose_operating_system_security_requirements_guide/2023-05-17/finding/V-203630
https://www.stigviewer.com/stig/general_purpose_operating_system_security_requirements_guide/2023-05-17/finding/V-203629
https://www.stigviewer.com/stig/application_security_requirements_guide/2011-12-28/finding/V-26924
https://www.stigviewer.com/stig/application_security_requirements_guide/2011-12-28/finding/V-26923
https://www.stigviewer.com/stig/application_security_and_development/2017-01-09/finding/V-70157