Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implements x509 extended schema #762

Merged
merged 4 commits into from
Apr 30, 2020
Merged

Implements x509 extended schema #762

merged 4 commits into from
Apr 30, 2020

Conversation

dcode
Copy link
Contributor

@dcode dcode commented Feb 25, 2020

This intends to implement the common core fields of x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, I propose that it should be nested under file and include the hash object set as well. I also think it's reasonable for systems like packetbeat to log entries under client and server for the TLS metadata.

Related: #64

@dcode
Copy link
Contributor Author

dcode commented Feb 25, 2020

Here's a gist that shows data formats I considered that helped frame this approach.

@dcode
Copy link
Contributor Author

dcode commented Mar 20, 2020

Per elastic/kibana#60026, the SIEM currently uses the fields tls.server_certificate.issuer.common_name and tls.server.alternative_names from packetbeat to populate the TLS tab. The proposed schema already offers x509.alternatives_names, but we should update the subject and issuer fields to be objects split out into:

  • distinguished_name
  • common_name
  • organizational_unit
  • organization
  • province
  • country

@cla-checker-service
Copy link

cla-checker-service bot commented Mar 25, 2020

💚 CLA has been signed

@dcode dcode requested review from webmat, peasead and dainperkins March 25, 2020 13:42
@dcode dcode force-pushed the dcode/x509 branch 2 times, most recently from 948c2d2 to e3e16d2 Compare March 25, 2020 13:46
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work, thanks @dcode!

Noticed a bunch of little things to adjust, plus a few questions (feel free to answer those before making adjustments)

schemas/x509.yml Outdated Show resolved Hide resolved
schemas/x509.yml Outdated Show resolved Hide resolved
schemas/x509.yml Show resolved Hide resolved
schemas/x509.yml Outdated Show resolved Hide resolved
schemas/x509.yml Show resolved Hide resolved
schemas/x509.yml Show resolved Hide resolved
schemas/x509.yml Outdated Show resolved Hide resolved
schemas/x509.yml Outdated Show resolved Hide resolved
schemas/x509.yml Outdated Show resolved Hide resolved
schemas/x509.yml Show resolved Hide resolved
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, it's looking good. Just leaving you a couple of comments.

schemas/x509.yml Outdated Show resolved Hide resolved
schemas/x509.yml Show resolved Hide resolved
@dcode dcode force-pushed the dcode/x509 branch 2 times, most recently from c873c92 to 774e793 Compare April 15, 2020 15:43
@dcode dcode closed this Apr 15, 2020
@dcode dcode reopened this Apr 15, 2020
@dcode
Copy link
Contributor Author

dcode commented Apr 15, 2020

This PR is gross, and I'm sorry. I accidentally rebased against a stale branch earlier today and found myself cast into the pit of merge conflict dispair. Should be all striaghtened out now

// Unique serial number issued by the certificate authority. For
// consistency, if this value is alphanumeric, it should be formatted
// without colons and uppercase characters.
SerialNumber string `ecs:"serial_number"`

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per https://tools.ietf.org/html/rfc5280#section-4.1.2.2 this should always be an integer. String is still appropriate since it may be up to 20 octets, but I think we should specify that we expect a base10 string representation.

@andrewvc
Copy link

andrewvc commented Apr 15, 2020

Great stuff here, I'm working on support for this in Heartbeat in elastic/beats#17687 .

The only field not here that we'd use would be a sha1/sha256 hash of the DER encoded cert. This would be great for aggregation. While tls.hash and similar exist, it'd be nice to know this is the hash of the DER binary, and not, say a PEM file etc, which file.hash might do.

I don't think we need to block this issue on that FYI.

@andrewvc
Copy link

One other non-blocking change I'd recommend for a follow-up PR (which I'd be glad to contribute).

We could add chain_not_after, and chain_not_before which would contain the computed not_after/not_before based on the earliest/latest dates in the full chain, in case someone has a poorly setup CA issuing certs beyond its own lifetime.

@peasead
Copy link
Contributor

peasead commented Apr 16, 2020 via email

@andrewvc
Copy link

Having gone through the PR in detail, I think this is great where it is. I have some additive suggestions, but they don't need to be in this PR. I'm LGTM on merging this PR as-is, and following up with some additions.

Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after two minor rewordings, see comments below.

Please let me merge this, as we're still waiting for an official thumbs up from the SIEM UI point of view. I want to make sure this is reviewed from their POV so we don't have surprises there a second time.

@tsg you initially pinged me about the UI issues when tls got merged in ECS. Could you review this from the UI point of view, or point me to the person who will do the TLS view adjustments based on this new field set?

group: 2
short_description: These fields contain x509 certificate metadata.
description: >
This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions,
These fields contain x509 certificate metadata. This information is likely logged with TLS sessions,

The current first sentence reads like a PR body ("we're implementing this"). Let's just reuse the short definition as the first sentence instead. The short and description are never displayed in the same place, so it's fine to reuse it as is.

type: keyword
normalize:
- array
description: List of state or province names (ST, S, or P)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should spell out more explicitly here that "any of the ST, S or P entries are to be added to this array.

Current description is perfect for a short description. Then the new description could read like.

Suggested change
description: List of state or province names (ST, S, or P)
short: List of state or province names (ST, S, or P)
description: List of state or province names.
All `ST`, `S` or `P` attributes should be added to the `x509.subject.state_or_province` array.

schemas/x509.yml Show resolved Hide resolved
@webmat webmat requested a review from tsg April 21, 2020 14:50
@webmat webmat mentioned this pull request Apr 23, 2020
andrewvc added a commit to elastic/beats that referenced this pull request Apr 27, 2020
Work in support of elastic/uptime#161

This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS.

Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on.

This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well.

```json
{
	"tls": {
		"certificate_not_valid_after": "2020-07-16T03:15:39Z",
		"certificate_not_valid_before": "2019-08-16T01:40:25Z",
		"server": {
			"hash": {
				"sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1",
				"sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d"
			},
			"x509": {
				"issuer": {
					"common_name": "GlobalSign CloudSSL CA - SHA256 - G3",
					"distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE"
				},
				"not_after": "2020-07-16T03:15:39Z",
				"not_before": "2019-08-16T01:40:25Z",
				"public_key_algorithm": "RSA",
				"public_key_size": 2048,
				"serial_number": "26610543540289562361990401194",
				"signature_algorithm": "SHA256-RSA",
				"subject": {
					"common_name": "r2.shared.global.fastly.net",
					"distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US"
				}
			}
		}
	}
}
```

## How to test this PR locally

Run against TLS/Non-TLS endpoints
andrewvc added a commit to andrewvc/beats that referenced this pull request Apr 27, 2020
Work in support of elastic/uptime#161

This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS.

Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on.

This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well.

```json
{
	"tls": {
		"certificate_not_valid_after": "2020-07-16T03:15:39Z",
		"certificate_not_valid_before": "2019-08-16T01:40:25Z",
		"server": {
			"hash": {
				"sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1",
				"sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d"
			},
			"x509": {
				"issuer": {
					"common_name": "GlobalSign CloudSSL CA - SHA256 - G3",
					"distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE"
				},
				"not_after": "2020-07-16T03:15:39Z",
				"not_before": "2019-08-16T01:40:25Z",
				"public_key_algorithm": "RSA",
				"public_key_size": 2048,
				"serial_number": "26610543540289562361990401194",
				"signature_algorithm": "SHA256-RSA",
				"subject": {
					"common_name": "r2.shared.global.fastly.net",
					"distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US"
				}
			}
		}
	}
}
```

## How to test this PR locally

Run against TLS/Non-TLS endpoints

(cherry picked from commit eb2dc26)
andrewvc added a commit to elastic/beats that referenced this pull request Apr 29, 2020
#18029)

* [Heartbeat] Add Additional ECS tls.* fields (#17687)

Work in support of elastic/uptime#161

This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS.

Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on.

This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well.

```json
{
	"tls": {
		"certificate_not_valid_after": "2020-07-16T03:15:39Z",
		"certificate_not_valid_before": "2019-08-16T01:40:25Z",
		"server": {
			"hash": {
				"sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1",
				"sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d"
			},
			"x509": {
				"issuer": {
					"common_name": "GlobalSign CloudSSL CA - SHA256 - G3",
					"distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE"
				},
				"not_after": "2020-07-16T03:15:39Z",
				"not_before": "2019-08-16T01:40:25Z",
				"public_key_algorithm": "RSA",
				"public_key_size": 2048,
				"serial_number": "26610543540289562361990401194",
				"signature_algorithm": "SHA256-RSA",
				"subject": {
					"common_name": "r2.shared.global.fastly.net",
					"distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US"
				}
			}
		}
	}
}
```


Run against TLS/Non-TLS endpoints

(cherry picked from commit eb2dc26)

* Use non-wildcard field for text

* Remove wildcard type
Copy link
Contributor

@tsg tsg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 this should be good for the SIEM app. issuer.common_name and subject.common_name are the ones that we were missing.

@webmat webmat merged commit 8183908 into elastic:master Apr 30, 2020
@dcode dcode deleted the dcode/x509 branch April 30, 2020 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants