ISSUE TYPE
VERSION
f5-securityhub-0.9.3-1.noarch.rpm
BIGIP VERSION
# tmsh show sys ver
Sys::Version
Main Package
Product BIG-IP
Version 14.1.0.3
Build 0.0.6
Edition Point Release 3
Date Mon Mar 25 17:15:27 PDT 2019
SUMMARY
Some of my logs fail to be sent to Security Hub. Checking the restnoded logs, I see that the token is expired.
Ideally, refreshtoken interval needs to be shorter than the expiry time. What is the expected token validity duration? Logs are below.
EXPECTED RESULTS
no error when sending logs to security hub
ACTUAL RESULTS
Error "The security token included in the request is expired" when trying to send logs to Security hub. Looks like startTokenRefresh is set to 8 hours.
cat /var/log/restnoded/restnoded.log | grep -i token
Sun, 26 May 2019 23:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Sun, 26 May 2019 23:32:41 GMT - fine: Security Token Fetched
Sun, 26 May 2019 23:51:28 GMT - fine: [SecurityHub] Renewing AWS Token
Sun, 26 May 2019 23:51:28 GMT - fine: Security Token Fetched
Mon, 27 May 2019 05:50:26 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:50:49 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:51:39 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 05:52:49 GMT - fine: [SecurityHub] AFF Post: message=The security token included in the request is expired
Mon, 27 May 2019 07:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 07:32:41 GMT - fine: Security Token Fetched
Mon, 27 May 2019 15:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 15:32:41 GMT - fine: Security Token Fetched
Mon, 27 May 2019 23:32:41 GMT - fine: [SecurityHub] Renewing AWS Token
Mon, 27 May 2019 23:32:41 GMT - fine: Security Token Fetched
aws iam get-role --role-name BIGIPSecurityHubRole
{
"Role": {
"Description": "Allows EC2 instances to call AWS services on your behalf.",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
},
"MaxSessionDuration": 3600,
"RoleId": "AAA",
"CreateDate": "2019-04-22T04:26:24Z",
"RoleName": "BIGIPSecurityHubRole",
"Path": "/",
"Arn": "arn:aws:iam::##:role/BIGIPSecurityHubRole"
}
}
The session duration is set to default 1 hr. However, when I grab the creds, expiration is about 6 hrs after lastupdated....not sure why but 8 hrs interval for refreshtoken will likely result in some expired token errors. Some options are to extend the session duration to be 12hrs or try making the refreshtoken interval shorter.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/BIGIPSecurityHubRole
{
"Code" : "Success",
"LastUpdated" : "2019-05-28T02:12:02Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AAA",
"SecretAccessKey" : "XXX",
"Token" : "XXX",
"Expiration" : "2019-05-28T08:33:22Z"