Secure redis communications with TLS

Logan L · Logan L · commit d1b43d6a6965 · 2020-11-03T18:46:15.000-07:00
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,3 @@
-[submodule "shell-lib"]
-	path = shell-lib
+[submodule "scripts/shell-lib"]
+	path = scripts/shell-lib
 	url = git@github.com:activecm/shell-lib.git
diff --git a/agent/install-sysmon-beats.ps1 b/agent/install-sysmon-beats.ps1
@@ -154,6 +154,9 @@ winlogbeat.event_logs:
 output.redis:
   hosts:
     - ${RedisHost}:${RedisPort}
+  ssl:
+    enabled: true
+    verification_mode: none
   key: "net-data:sysmon"
   password: `"`${REDIS_PASSWORD}`"
 "@ > winlogbeat.yml
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -10,6 +10,7 @@ services:
       #net.ipv4.tcp_max_syn_backlog: 512 works on ubuntu 18, but not 16
     ports:
       - "${ESPY_REDIS_PORT:-6379}:6379"
+    entrypoint: ""
     command: ["redis-server", "/etc/espy/redis.conf"]
 
   espy:
@@ -25,4 +26,5 @@ services:
 #    image: redis:6.0
 #    volumes:
 #      - ${ESPY_CONFIG_DIR:-/etc/espy}:/etc/espy
+#    entrypoint: ""
 #    command: ["redis-cli", "-h", "redis-server"]
diff --git a/espy.sh b/espy.sh
@@ -12,8 +12,8 @@ if [ ! -w "/var/run/docker.sock" -o ! -r ".env" ]; then
 fi
 
 # Check for pre-requisites
-shell-lib/docker/check_docker.sh || echo "You do not have a supported version of Docker installed."
-shell-lib/docker/check_docker-compose.sh || echo "You do not have a supported version of Docker-Compose installed."
+scripts/shell-lib/docker/check_docker.sh || echo "You do not have a supported version of Docker installed."
+scripts/shell-lib/docker/check_docker-compose.sh || echo "You do not have a supported version of Docker-Compose installed."
 
 # TMPDIR is erased even if -E is passed to sudo. https://serverfault.com/questions/478741/sudo-does-not-preserve-tmpdir
 # Need to explicitly pass tmpdir in if it exists.
diff --git a/espy/config/running.go b/espy/config/running.go
@@ -6,6 +6,7 @@ import (
 	"github.com/blang/semver"
 	log "github.com/sirupsen/logrus"
 	"io/ioutil"
+	"os"
 )
 
 type (
@@ -53,7 +54,9 @@ func parseStaticTLSConfig(staticTLS *TLSStaticCfg) *tls.Config {
 	if !staticTLS.VerifyCertificate {
 		tlsConf.InsecureSkipVerify = true
 	}
-	if len(staticTLS.CAFile) > 0 {
+
+	finfo, err := os.Stat(staticTLS.CAFile)
+	if err != nil && !finfo.IsDir() {
 		pem, err := ioutil.ReadFile(staticTLS.CAFile)
 		if err != nil {
 			log.WithField("file", staticTLS.CAFile).WithError(err).Error("Could not read CA file")
diff --git a/espy/etc/espy.docker.yaml b/espy/etc/espy.docker.yaml
@@ -12,7 +12,7 @@ Redis:
   Password: "NET_RECEIVER_SECRET_PLACEHOLDER"
   # TLS should be enabled if Redis is running on a separate machine
   TLS:
-    Enabled: false
+    Enable: true
     # If set, Espy will check the Redis certificate's hostname and signatures
     VerifyCertificate: false
     #If set, Espy will use the provided CA file instead of the system's CA's
@@ -30,7 +30,7 @@ Elasticsearch:
   Password: ""
   # TLS should be enabled if Redis is running on a separate machine
   TLS:
-    Enabled: false
+    Enable: false
     # If set, Espy will check the ES certificate's hostname and signatures
     VerifyCertificate: false
     #If set, Espy will use the provided CA file instead of the system's CA's
diff --git a/installer/stage/Espy/docker-compose.yml b/installer/stage/Espy/docker-compose.yml
diff --git a/installer/stage/Espy/espy.sh b/installer/stage/Espy/espy.sh
diff --git a/installer/stage/Espy/etc/espy.docker.yaml b/installer/stage/Espy/etc/espy.docker.yaml
diff --git a/installer/stage/Espy/etc/redis.conf b/installer/stage/Espy/etc/redis.conf
diff --git a/installer/stage/Espy/shell-lib b/installer/stage/Espy/shell-lib
diff --git a/redis/redis.conf b/redis/redis.conf
@@ -47,19 +47,17 @@ timeout 0
 # Redis default starting with Redis 3.2.1.
 tcp-keepalive 300
 
-# TODO: Create certificates and enable TLS
 ################################# TLS/SSL #####################################
-port 6379
-# port 0
-# tls-port 6379
-# tls-cert-file redis.crt
-# tls-key-file redis.key
-# tls-auth-clients no
-# tls-protocols "TLSv1.2 TLSv1.3"
+# port 6379
+port 0
+tls-port 6379
+tls-cert-file /etc/espy/certificates/redis.crt
+tls-key-file /etc/espy/certificates/redis.key
+tls-protocols "TLSv1.2 TLSv1.3"
 
-# TODO: Disable replication and clustering
-# tls-replication yes
-# tls-cluster yes
+tls-auth-clients no
+tls-replication no
+tls-cluster no
 
 ################################# GENERAL #####################################
 daemonize no
diff --git a/scripts/generate_tls_certs.sh b/scripts/generate_tls_certs.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+# This script will generate an x509 rsa certificate and key if
+# the files do not exist already.
+
+# Change dir to script dir
+pushd "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")" > /dev/null
+
+# Load the function library
+. ./shell-lib/acmlib.sh
+normalize_environment
+
+ESPY_CONFIG_DIR="${ESPY_CONFIG_DIR:-/etc/espy}"
+CERTIFICATE_DIR="$ESPY_CONFIG_DIR/certificates"
+
+SUDO=
+if ! can_write_or_create "$ESPY_CONFIG_DIR"; then
+	SUDO="sudo"
+fi
+
+PUBLIC_CRT="$CERTIFICATE_DIR/redis.crt"
+PRIVATE_KEY="$CERTIFICATE_DIR/redis.key"
+
+# Initializes the global certs if they don't exist
+main() {
+	# This check is unnecessary with mkdir -p but avoids an unconditional
+	# sudo that would force a password prompt every time
+	if [ ! -d "$CERTIFICATE_DIR" ]; then
+		echo "Certificate directory not found. Creating: $CERTIFICATE_DIR"
+		$SUDO mkdir -p "$CERTIFICATE_DIR"
+	fi
+
+	if [ ! -f "$PUBLIC_CRT" ] || [ ! -f "$PRIVATE_KEY" ]; then
+		# If one or the other is found but not both remove them and start over
+		if [ -f "$PUBLIC_CRT" ]; then $SUDO rm -f "$PUBLIC_CRT"; fi
+		if [ -f "$PRIVATE_KEY" ]; then $SUDO rm -f "$PRIVATE_KEY"; fi
+
+		echo "No certificates found. Generating..."
+		$SUDO openssl req -x509 -newkey rsa:4096 \
+		-keyout "$PRIVATE_KEY" -out "$PUBLIC_CRT" \
+		-days 1825 -nodes > /dev/null 2>&1 << HERE
+US
+Some-State
+
+Active Countermeasures
+Espy
+localhost
+
+HERE
+    else
+        echo "Existing certificates found. Exiting..."
+	fi
+
+    $SUDO chown -R root:docker "$CERTIFICATE_DIR"
+    $SUDO chmod 640 "$CERTIFICATE_DIR/*"
+}
+
+# Ensure the certificates exist
+main
+
+# Change back to original directory
+popd > /dev/null
diff --git a/scripts/installer/.gitignore b/scripts/installer/.gitignore
diff --git a/scripts/installer/generate_installer.sh b/scripts/installer/generate_installer.sh
@@ -15,7 +15,7 @@ HEREDOC
 
 # Store the absolute path of the script's dir and switch to the top dir
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-pushd "$SCRIPT_DIR/../" > /dev/null
+pushd "$SCRIPT_DIR/../../" > /dev/null
 
 __help() {
   cat <<HEREDOC
@@ -64,12 +64,12 @@ ESPY_ARCHIVE=Espy
 STAGE_DIR="$SCRIPT_DIR/stage/$ESPY_ARCHIVE"
 
 # Make sure we can use docker-compose
-shell-lib/docker/check_docker.sh || {
+./scripts/shell-lib/docker/check_docker.sh || {
 	echo -e "\e[93mWARNING\e[0m: The generator did not detect a supported version of Docker."
 	echo "         A supported version of Docker can be installed by running"
 	echo "         the install_docker.sh script in the scripts directory."
 }
-shell-lib/docker/check_docker-compose.sh || {
+./scripts/shell-lib/docker/check_docker-compose.sh || {
 	echo -e "\e[93mWARNING\e[0m: The generator did not detect a supported version of Docker-Compose."
 	echo "         A supported version of Docker-Compose can be installed by running"
 	echo "         the install_docker.sh script in the scripts directory."
diff --git a/scripts/installer/stage/Espy/.gitignore b/scripts/installer/stage/Espy/.gitignore
diff --git a/scripts/installer/stage/Espy/docker-compose.yml b/scripts/installer/stage/Espy/docker-compose.yml
@@ -0,0 +1 @@
+../../../../docker-compose.yml
diff --git a/scripts/installer/stage/Espy/espy.sh b/scripts/installer/stage/Espy/espy.sh
@@ -0,0 +1 @@
+../../../../espy.sh
diff --git a/scripts/installer/stage/Espy/etc/espy.docker.yaml b/scripts/installer/stage/Espy/etc/espy.docker.yaml
@@ -0,0 +1 @@
+../../../../../espy/etc/espy.docker.yaml
diff --git a/scripts/installer/stage/Espy/etc/redis.conf b/scripts/installer/stage/Espy/etc/redis.conf
@@ -0,0 +1 @@
+../../../../../redis/redis.conf
diff --git a/scripts/installer/stage/Espy/install_espy.sh b/scripts/installer/stage/Espy/install_espy.sh
@@ -31,7 +31,7 @@ trap '__err ${BASH_SOURCE##*/} $LINENO' ERR
 trap '__int' INT
 
 # Load the function library
-. ./shell-lib/acmlib.sh
+. ./scripts/shell-lib/acmlib.sh
 normalize_environment
 
 ESPY_CONFIG_DIR="${ESPY_CONFIG_DIR:-/etc/espy}"
@@ -45,7 +45,7 @@ test_system () {
 
 install_docker () {
     status "Installing Docker"
-    $SUDO shell-lib/docker/install_docker.sh
+    $SUDO ./scripts/shell-lib/docker/install_docker.sh
     echo2 ''
     if $SUDO docker ps &>/dev/null ; then
 		echo2 'Docker appears to be working, continuing.'
@@ -62,6 +62,8 @@ install_configuration () {
     ensure_env_file_exists
 
     ensure_config_files_exist
+
+    scripts/generate_tls_certs.sh
 }
 
 ensure_env_file_exists () {
diff --git a/scripts/installer/stage/Espy/scripts/generate_tls_certs.sh b/scripts/installer/stage/Espy/scripts/generate_tls_certs.sh
@@ -0,0 +1 @@
+../../../../generate_tls_certs.sh
diff --git a/scripts/installer/stage/Espy/scripts/shell-lib b/scripts/installer/stage/Espy/scripts/shell-lib
@@ -0,0 +1 @@
+../../../../shell-lib/
diff --git a/scripts/shell-lib b/scripts/shell-lib
@@ -0,0 +1 @@
+Subproject commit c6c8e6c0ed3396c866026e8dfb73ed9d9ed33fd9
diff --git a/shell-lib b/shell-lib
