f5devcentral / f5-security-hub-extension Goto Github PK

0.0 6.0 0.0 55 KB

An iControl LX Extension for publishing ASM logs to AWS Security Hub

License: MIT License

JavaScript 100.00%

f5-security-hub-extension's Introduction

F5 Security Hub Extension

Introduction

The F5 Security Hub Extension is a BIG-IP iControl LX Extension for posting ASM log events to AWS Security Hub. AWS Security Hub provides a datebase and dashboard for managing security event notifations across an AWS Cloud Deployment.

This extension is community supported.

Requirements

BIG-IP VE 14.0 or later running on EC2

BIG-IP 13.1 will work but the logging profile must be created in TMSH see the issue on log creation failure

Docs

For installation and usage instructions, see the ./docs folder

Building

This package works with icrdk, which can be found here: https://github.com/f5devcentral/f5-icontrollx-dev-kit

From the root directory, an invocation to icrdk build will place a built RPM inside the ./build directory.

The package can be deployed like any other iControl LX extension, or upon configuring a local devconfig.json, the package can be deployed with icrdk deploy

f5-security-hub-extension's People

Contributors

Watchers

f5-security-hub-extension's Issues

Fail to build the package using icrdk

I followed the instruction to use icrdk build from the root directory, which produce a rpm file with size of 16k, which is far from the released version.
And importing the 16k package will not make anychange on BIG-IP.
Are there any extra steps that need to perform? Or are there alternative way to build the package?

refreshtoken interval

ISSUE TYPE

Bug Report

VERSION

f5-securityhub-0.9.3-1.noarch.rpm

BIGIP VERSION

# tmsh show sys ver

Sys::Version
Main Package
  Product     BIG-IP
  Version     14.1.0.3
  Build       0.0.6
  Edition     Point Release 3
  Date        Mon Mar 25 17:15:27 PDT 2019

SUMMARY

Some of my logs fail to be sent to Security Hub. Checking the restnoded logs, I see that the token is expired.

Ideally, refreshtoken interval needs to be shorter than the expiry time. What is the expected token validity duration? Logs are below.

EXPECTED RESULTS

no error when sending logs to security hub

ACTUAL RESULTS

Error "The security token included in the request is expired" when trying to send logs to Security hub. Looks like startTokenRefresh is set to 8 hours.

cat /var/log/restnoded/restnoded.log | grep -i token

Sun, 26 May 2019 23:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Sun, 26 May 2019 23:32:41 GMT - fine: Security Token Fetched
Sun, 26 May 2019 23:51:28 GMT - fine: [SecurityHub] Renewing AWS Token
Sun, 26 May 2019 23:51:28 GMT - fine: Security Token Fetched
Mon, 27 May 2019 05:50:26 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:50:49 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:51:39 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:52:49 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 07:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 07:32:41 GMT - fine: Security Token Fetched
Mon, 27 May 2019 15:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 15:32:41 GMT - fine: Security Token Fetched
Mon, 27 May 2019 23:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 23:32:41 GMT - fine: Security Token Fetched

aws iam get-role --role-name BIGIPSecurityHubRole

{
    "Role": {
        "Description": "Allows EC2 instances to call AWS services on your behalf.", 
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Effect": "Allow", 
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        }, 
        "MaxSessionDuration": 3600, 
        "RoleId": "AAA", 
        "CreateDate": "2019-04-22T04:26:24Z", 
        "RoleName": "BIGIPSecurityHubRole", 
        "Path": "/", 
        "Arn": "arn:aws:iam::##:role/BIGIPSecurityHubRole"
    }
}

The session duration is set to default 1 hr. However, when I grab the creds, expiration is about 6 hrs after lastupdated....not sure why but 8 hrs interval for refreshtoken will likely result in some expired token errors. Some options are to extend the session duration to be 12hrs or try making the refreshtoken interval shorter.

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/BIGIPSecurityHubRole

{
  "Code" : "Success",
  "LastUpdated" : "2019-05-28T02:12:02Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "AAA",
  "SecretAccessKey" : "XXX",
  "Token" : "XXX",
  "Expiration" : "2019-05-28T08:33:22Z"

Failed to create logging profile

ISSUE TYPE

Bug Report

VERSION

f5-securityhub-0.9.3-1.noarch.rpm

BIGIP VERSION

# tmsh show sys ver

Sys::Version
Main Package
  Product     BIG-IP
  Version     13.1.0.2
  Build       0.0.6
  Edition     Point Release 2
  Date        Tue Jan 16 08:46:28 PST 2018

SUMMARY

Seems the tmsh command that is being issued does not have the right syntax, so the logging profile does not get automatically created.

There is no "logger-type" property AFAICT.
Checked the schema:
(tmos)# help security log profile

STEPS TO REPRODUCE

Download latest release 0.9.3, import into BIG-IP in iApps > Package Management LX
monitor /var/log/restnoded/restnoded.log

EXPECTED RESULTS

logging profile automatically created

ACTUAL RESULTS

from /var/log/restnoded/restnoded.log

Sat, 25 May 2019 13:53:16 GMT - config: [RestWorker] /shared/securityhub has started. Name:SecurityHubWorker
Sat, 25 May 2019 13:53:16 GMT - fine: {"code":500,"message":"Invalid chunk size: '{'  ByteBuffer contents: 'HTTP/1.1 200 OK\r\nDate: Sat May 25 22:53:16 2019\r\nCache-Control: no-cache\r\nServer: f5.rest.RestServer\r\nConnection: keep-alive\r\nContent-Type: application/json\r\nAllow: \r\nX-F5-Config-Api-Status: 1907\r\nContent-Length: 1079\r\n\r\n{\"kind\":\"tm:util:bash:runstate\",\"command\":\"run\",\"utilCmdArgs\":\"-c \\\"tmsh create security log profile securityhub-logger application add { securityhub-logger-app { logger-type remote remote-storage remote format { field-delimiter , fields { attack_type blocking_exception_reason captcha_result client_type date_time dest_ip dest_port device_id geo_location http_class_name ip_address_intelligence ip_client ip_with_route_domain is_truncated login_result management_ip_address method mobile_application_name mobile_application_version policy_apply_date policy_name protocol query_string request request_status response response_code route_domain session_id severity sig_ids sig_names sig_set_names src_port staged_sig_ids staged_sig_names staged_sig_set_names sub_violations support_id unit_hostname uri username violation_details violation_rating violations virus_name websocket_direction websocket_message_type x_forwarded_for_header_value  } } servers add { 127.0.0.1:8514 } format { field-format none } } }\\\"\",\"commandResult\":\"Syntax Error: \\\"logger-type\\\" unknown property\\n\"}'","referer":"/127.0.0.1:33100","restOperationId":1501805,"kind":":resterrorresponse"}

f5devcentral / f5-security-hub-extension Goto Github PK

f5-security-hub-extension's Introduction

F5 Security Hub Extension

Introduction

Requirements

Docs

Building

f5-security-hub-extension's People

Contributors

Watchers

f5-security-hub-extension's Issues

ISSUE TYPE

VERSION

BIGIP VERSION

SUMMARY

EXPECTED RESULTS

ACTUAL RESULTS

ISSUE TYPE

VERSION

BIGIP VERSION

SUMMARY

STEPS TO REPRODUCE

EXPECTED RESULTS

ACTUAL RESULTS

Recommend Projects

Recommend Topics

Recommend Org