Logstash beats input, ssl_certificate_authorities usefulness

(Robin Schneider) #1

I am wondering if ssl_certificate_authorities supports what I am looking for. Short overview, in Logstash (beats) inputs, you can enable normal TLS encryption to prevent wiretapping and to ensure that the (beats) client only sends logs to the authentic Logstash server. The other way around is also supported with client certificates. Here the Logstash server checks that only allowed clients can log. Now lets consider we have hosts which are potentially compromised (DMZ for example). Such a host with client certificates is allowed to log. In fact, a compromised host could log anything it wants, also in the name of other hosts. This leads to the situation that you have no idea what event/document in Elasticsearch you can trust and which not when starting with the assumption that one or more hosts which is allowed to log is compromised. This is not ideal to say the least. My thought was that client certificates should be exactly there to prevent this.

The question is, how can I ensure that the host field of a event/document which is logged is authentic and can not be spoofed?

My idea is that the Logstash input plugin needs to provide what other TLS server implementations know as $ssl_client_s_dn (ref: Nginx http ssl module). This way, it could be checked in a Logstash filter if the event host field matches the host for which the client certificate is issued.

(Another idea is to provide the source IP address of the log client as a metadata field in Logstash and then use this, but this would require to trust the network which is a bad idea.)

PS: I already researched similar questions here on discuss.elastic.co and elsewhere without having my issue addressed. The only explicit reference to something like $ssl_client_s_dn is in https://github.com/logstash-plugins/logstash-input-beats/issues/265: "One way, to authenticate Beats using certificates from such CAs would be to, firstly, verify that the Beat host name matches the one written on the certificate (if it doesn't already accomplish it as of today – I don't know as it isn't written in the guide that such a check exists)".

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.