Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Libbeat] Security - fetch IMDSv2 token for add_cloud_metadata suppor… #28285

Merged
merged 6 commits into from
Oct 13, 2021
Merged

[Libbeat] Security - fetch IMDSv2 token for add_cloud_metadata suppor… #28285

merged 6 commits into from
Oct 13, 2021

Conversation

aspacca
Copy link

@aspacca aspacca commented Oct 6, 2021

…t on aws

Enanchment

What does this PR do?

Fetches IMDSv2 token in add_cloud_metadata processor for AWS and send it with the proper header to the identity url request

Why is it important?

It adds support for IMDSv2 on AWS enforcing security standard

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
    - [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Run any beat built from this adding add_cloud_metadata processor an an EC2 instance with only IMDSv2 enabled and ensure that metadata request doesn't fail with a 401

Related issues

Closes #22101

Use cases

Screenshots

Logs

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 6, 2021
@mergify
Copy link
Contributor

mergify bot commented Oct 6, 2021

This pull request does not have a backport label. Could you fix it @aspacca? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

@mergify mergify bot added the backport-skip Skip notification from the automated backport with mergify label Oct 6, 2021
@aspacca aspacca added Team:Integrations Label for the Integrations team and removed backport-skip Skip notification from the automated backport with mergify labels Oct 6, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 6, 2021
@aspacca aspacca requested a review from kaiyan-sheng October 6, 2021 14:26
@mergify
Copy link
Contributor

mergify bot commented Oct 6, 2021

This pull request does not have a backport label. Could you fix it @aspacca? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

@mergify mergify bot added the backport-skip Skip notification from the automated backport with mergify label Oct 6, 2021
@aspacca aspacca added backport-v7.16.0 Automated backport with mergify and removed backport-skip Skip notification from the automated backport with mergify labels Oct 6, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Oct 6, 2021

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-10-13T08:35:50.189+0000

  • Duration: 149 min 56 sec

  • Commit: fc33e85

Test stats 🧪

Test Results
Failed 0
Passed 53757
Skipped 5346
Total 59103

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

@mergify
Copy link
Contributor

mergify bot commented Oct 11, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b Libbeat-Security-Enable-IMDSv2-support upstream/Libbeat-Security-Enable-IMDSv2-support
git merge upstream/master
git push upstream Libbeat-Security-Enable-IMDSv2-support

Copy link
Contributor

@kaiyan-sheng kaiyan-sheng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good to me, just several small comments.

const ec2InstanceIMDSv2TokenValueHeader = "X-aws-ec2-metadata-token"
const ec2InstanceIMDSv2TokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
const ec2InstanceIMDSv2TokenTTLValue = "21600"
const ec2InstanceIMDSv2TokenURI = "/latest/api/token"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const ec2InstanceIMDSv2TokenURI = "/latest/api/token"
const (
ec2InstanceIdentityURI = "/2014-02-25/dynamic/instance-identity/document"
ec2InstanceIMDSv2TokenURI = "/latest/api/token"
ec2InstanceIMDSv2TokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
ec2InstanceIMDSv2TokenTTLValue = "21600"
ec2InstanceIMDSv2TokenURI = "/latest/api/token"
)

"net/http"

"github.com/elastic/beats/v7/libbeat/logp"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the empty space


tlsConfig, err := tlscommon.LoadTLSConfig(config.TLS)
if err != nil {
logger.Warnf("error while getting IMDSv2 token: %s. No token in the metadata request will be used.", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.Warnf("error while getting IMDSv2 token: %s. No token in the metadata request will be used.", err)
logger.Warnf("error when load TLS config for getting IMDSv2 token: %s. No token in the metadata request will be used.", err)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the warning log messages are the same in the function. What do you think about adding more detail in the warning messages?

@aspacca aspacca merged commit 86decbd into elastic:master Oct 13, 2021
mergify bot pushed a commit that referenced this pull request Oct 13, 2021
#28285)

* [Libbeat] Security - fetch IMDSv2 token for add_cloud_metadata support on aws

(cherry picked from commit 86decbd)
aspacca pushed a commit that referenced this pull request Oct 14, 2021
…d_cloud_metadata suppor… (#28400)

* [Libbeat] Security - fetch IMDSv2 token for add_cloud_metadata support on aws

(cherry picked from commit 86decbd)
Icedroid pushed a commit to Icedroid/beats that referenced this pull request Nov 1, 2021
elastic#28285)

* [Libbeat] Security - fetch IMDSv2 token for add_cloud_metadata support on aws
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-v7.16.0 Automated backport with mergify Team:Integrations Label for the Integrations team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security] Enable IMDSv2 support in Filebeat, Auditbeat and others
3 participants