-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implements x509 extended schema #762
Conversation
Here's a gist that shows data formats I considered that helped frame this approach. |
Per elastic/kibana#60026, the SIEM currently uses the fields
|
💚 CLA has been signed |
948c2d2
to
e3e16d2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good work, thanks @dcode!
Noticed a bunch of little things to adjust, plus a few questions (feel free to answer those before making adjustments)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, it's looking good. Just leaving you a couple of comments.
c873c92
to
774e793
Compare
This PR is gross, and I'm sorry. I accidentally rebased against a stale branch earlier today and found myself cast into the pit of merge conflict dispair. Should be all striaghtened out now |
// Unique serial number issued by the certificate authority. For | ||
// consistency, if this value is alphanumeric, it should be formatted | ||
// without colons and uppercase characters. | ||
SerialNumber string `ecs:"serial_number"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per https://tools.ietf.org/html/rfc5280#section-4.1.2.2 this should always be an integer. String is still appropriate since it may be up to 20 octets, but I think we should specify that we expect a base10 string representation.
Great stuff here, I'm working on support for this in Heartbeat in elastic/beats#17687 . The only field not here that we'd use would be a sha1/sha256 hash of the DER encoded cert. This would be great for aggregation. While I don't think we need to block this issue on that FYI. |
One other non-blocking change I'd recommend for a follow-up PR (which I'd be glad to contribute). We could add |
Good point, Andrew.
We had a federal customer who had a need for this kind of field recently.
On Thu, Apr 16, 2020 at 6:48 AM Andrew Cholakian ***@***.***> wrote:
One other non-blocking change I'd recommend for a follow-up PR (which I'd
be glad to contribute).
We could add chain_not_after, and chain_not_before which would contain
the computed not_after/not_before based on the earliest/latest dates in
the full chain, in case someone has a poorly setup CA issuing certs beyond
its own lifetime.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#762 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABYY5K5IOYNQ7XVL6E3RTCLRM3WCBANCNFSM4K3J2OXA>
.
--
*---*
*Andrew D. Pease*
Senior Manager, Consulting
m: 314.749.4249
[email protected]
|
Having gone through the PR in detail, I think this is great where it is. I have some additive suggestions, but they don't need to be in this PR. I'm LGTM on merging this PR as-is, and following up with some additions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after two minor rewordings, see comments below.
Please let me merge this, as we're still waiting for an official thumbs up from the SIEM UI point of view. I want to make sure this is reviewed from their POV so we don't have surprises there a second time.
@tsg you initially pinged me about the UI issues when tls
got merged in ECS. Could you review this from the UI point of view, or point me to the person who will do the TLS view adjustments based on this new field set?
group: 2 | ||
short_description: These fields contain x509 certificate metadata. | ||
description: > | ||
This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, | |
These fields contain x509 certificate metadata. This information is likely logged with TLS sessions, |
The current first sentence reads like a PR body ("we're implementing this"). Let's just reuse the short
definition as the first sentence instead. The short
and description
are never displayed in the same place, so it's fine to reuse it as is.
type: keyword | ||
normalize: | ||
- array | ||
description: List of state or province names (ST, S, or P) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps we should spell out more explicitly here that "any of the ST
, S
or P
entries are to be added to this array.
Current description is perfect for a short
description. Then the new description
could read like.
description: List of state or province names (ST, S, or P) | |
short: List of state or province names (ST, S, or P) | |
description: List of state or province names. | |
All `ST`, `S` or `P` attributes should be added to the `x509.subject.state_or_province` array. |
Work in support of elastic/uptime#161 This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS. Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on. This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well. ```json { "tls": { "certificate_not_valid_after": "2020-07-16T03:15:39Z", "certificate_not_valid_before": "2019-08-16T01:40:25Z", "server": { "hash": { "sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1", "sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d" }, "x509": { "issuer": { "common_name": "GlobalSign CloudSSL CA - SHA256 - G3", "distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE" }, "not_after": "2020-07-16T03:15:39Z", "not_before": "2019-08-16T01:40:25Z", "public_key_algorithm": "RSA", "public_key_size": 2048, "serial_number": "26610543540289562361990401194", "signature_algorithm": "SHA256-RSA", "subject": { "common_name": "r2.shared.global.fastly.net", "distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US" } } } } } ``` ## How to test this PR locally Run against TLS/Non-TLS endpoints
Work in support of elastic/uptime#161 This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS. Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on. This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well. ```json { "tls": { "certificate_not_valid_after": "2020-07-16T03:15:39Z", "certificate_not_valid_before": "2019-08-16T01:40:25Z", "server": { "hash": { "sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1", "sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d" }, "x509": { "issuer": { "common_name": "GlobalSign CloudSSL CA - SHA256 - G3", "distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE" }, "not_after": "2020-07-16T03:15:39Z", "not_before": "2019-08-16T01:40:25Z", "public_key_algorithm": "RSA", "public_key_size": 2048, "serial_number": "26610543540289562361990401194", "signature_algorithm": "SHA256-RSA", "subject": { "common_name": "r2.shared.global.fastly.net", "distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US" } } } } } ``` ## How to test this PR locally Run against TLS/Non-TLS endpoints (cherry picked from commit eb2dc26)
#18029) * [Heartbeat] Add Additional ECS tls.* fields (#17687) Work in support of elastic/uptime#161 This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS. Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on. This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well. ```json { "tls": { "certificate_not_valid_after": "2020-07-16T03:15:39Z", "certificate_not_valid_before": "2019-08-16T01:40:25Z", "server": { "hash": { "sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1", "sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d" }, "x509": { "issuer": { "common_name": "GlobalSign CloudSSL CA - SHA256 - G3", "distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE" }, "not_after": "2020-07-16T03:15:39Z", "not_before": "2019-08-16T01:40:25Z", "public_key_algorithm": "RSA", "public_key_size": 2048, "serial_number": "26610543540289562361990401194", "signature_algorithm": "SHA256-RSA", "subject": { "common_name": "r2.shared.global.fastly.net", "distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US" } } } } } ``` Run against TLS/Non-TLS endpoints (cherry picked from commit eb2dc26) * Use non-wildcard field for text * Remove wildcard type
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 this should be good for the SIEM app. issuer.common_name
and subject.common_name
are the ones that we were missing.
This intends to implement the common core fields of x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, I propose that it should be nested under
file
and include thehash
object set as well. I also think it's reasonable for systems like packetbeat to log entries underclient
andserver
for the TLS metadata.Related: #64