Implements x509 extended schema #762
Conversation
|
Here's a gist that shows data formats I considered that helped frame this approach. |
|
Per elastic/kibana#60026, the SIEM currently uses the fields
|
|
💚 CLA has been signed |
dcode
force-pushed
the
dcode/x509
branch
2 times, most recently
from
948c2d2
to
e3e16d2
Compare
dcode
force-pushed
the
dcode/x509
branch
2 times, most recently
from
c873c92
to
774e793
Compare
|
This PR is gross, and I'm sorry. I accidentally rebased against a stale branch earlier today and found myself cast into the pit of merge conflict dispair. Should be all striaghtened out now |
| // Unique serial number issued by the certificate authority. For | ||
| // consistency, if this value is alphanumeric, it should be formatted | ||
| // without colons and uppercase characters. | ||
| SerialNumber string `ecs:"serial_number"` |
There was a problem hiding this comment.
Per https://tools.ietf.org/html/rfc5280#section-4.1.2.2 this should always be an integer. String is still appropriate since it may be up to 20 octets, but I think we should specify that we expect a base10 string representation.
|
Great stuff here, I'm working on support for this in Heartbeat in elastic/beats#17687 . The only field not here that we'd use would be a sha1/sha256 hash of the DER encoded cert. This would be great for aggregation. While I don't think we need to block this issue on that FYI. |
|
One other non-blocking change I'd recommend for a follow-up PR (which I'd be glad to contribute). We could add |
|
Good point, Andrew.
We had a federal customer who had a need for this kind of field recently.
On Thu, Apr 16, 2020 at 6:48 AM Andrew Cholakian ***@***.***> wrote:
One other non-blocking change I'd recommend for a follow-up PR (which I'd
be glad to contribute).
We could add chain_not_after, and chain_not_before which would contain
the computed not_after/not_before based on the earliest/latest dates in
the full chain, in case someone has a poorly setup CA issuing certs beyond
its own lifetime.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#762 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABYY5K5IOYNQ7XVL6E3RTCLRM3WCBANCNFSM4K3J2OXA>
.
--
*---*
*Andrew D. Pease*
Senior Manager, Consulting
m: 314.749.4249
andrew.pease@elastic.co
|
|
Having gone through the PR in detail, I think this is great where it is. I have some additive suggestions, but they don't need to be in this PR. I'm LGTM on merging this PR as-is, and following up with some additions. |
There was a problem hiding this comment.
LGTM after two minor rewordings, see comments below.
Please let me merge this, as we're still waiting for an official thumbs up from the SIEM UI point of view. I want to make sure this is reviewed from their POV so we don't have surprises there a second time.
@tsg you initially pinged me about the UI issues when tls got merged in ECS. Could you review this from the UI point of view, or point me to the person who will do the TLS view adjustments based on this new field set?
| group: 2 | ||
| short_description: These fields contain x509 certificate metadata. | ||
| description: > | ||
| This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, |
There was a problem hiding this comment.
| This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, | |
| These fields contain x509 certificate metadata. This information is likely logged with TLS sessions, |
The current first sentence reads like a PR body ("we're implementing this"). Let's just reuse the short definition as the first sentence instead. The short and description are never displayed in the same place, so it's fine to reuse it as is.
| type: keyword | ||
| normalize: | ||
| - array | ||
| description: List of state or province names (ST, S, or P) |
There was a problem hiding this comment.
Perhaps we should spell out more explicitly here that "any of the ST, S or P entries are to be added to this array.
Current description is perfect for a short description. Then the new description could read like.
| description: List of state or province names (ST, S, or P) | |
| short: List of state or province names (ST, S, or P) | |
| description: List of state or province names. | |
| All `ST`, `S` or `P` attributes should be added to the `x509.subject.state_or_province` array. |
Work in support of elastic/uptime#161 This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS. Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on. This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well. ```json { "tls": { "certificate_not_valid_after": "2020-07-16T03:15:39Z", "certificate_not_valid_before": "2019-08-16T01:40:25Z", "server": { "hash": { "sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1", "sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d" }, "x509": { "issuer": { "common_name": "GlobalSign CloudSSL CA - SHA256 - G3", "distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE" }, "not_after": "2020-07-16T03:15:39Z", "not_before": "2019-08-16T01:40:25Z", "public_key_algorithm": "RSA", "public_key_size": 2048, "serial_number": "26610543540289562361990401194", "signature_algorithm": "SHA256-RSA", "subject": { "common_name": "r2.shared.global.fastly.net", "distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US" } } } } } ``` ## How to test this PR locally Run against TLS/Non-TLS endpoints
Work in support of elastic/uptime#161 This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS. Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on. This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well. ```json { "tls": { "certificate_not_valid_after": "2020-07-16T03:15:39Z", "certificate_not_valid_before": "2019-08-16T01:40:25Z", "server": { "hash": { "sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1", "sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d" }, "x509": { "issuer": { "common_name": "GlobalSign CloudSSL CA - SHA256 - G3", "distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE" }, "not_after": "2020-07-16T03:15:39Z", "not_before": "2019-08-16T01:40:25Z", "public_key_algorithm": "RSA", "public_key_size": 2048, "serial_number": "26610543540289562361990401194", "signature_algorithm": "SHA256-RSA", "subject": { "common_name": "r2.shared.global.fastly.net", "distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US" } } } } } ``` ## How to test this PR locally Run against TLS/Non-TLS endpoints (cherry picked from commit eb2dc26)
#18029) * [Heartbeat] Add Additional ECS tls.* fields (#17687) Work in support of elastic/uptime#161 This patch adds additional ECS [TLS](https://www.elastic.co/guide/en/ecs/current/ecs-tls.html) and [x509](elastic/ecs#762) fields. Note that we are blocked on the x509 fields which are not yet merged into ECS. Sample output of the `tls.*` fields with this patch is below. Note the somewhat strange nesting of data in `issuer` and `subject`. This is per the ECS spec, but a bit awkward. We may want to break this data out into the more specific ECS `x509` type in the future. For UI work we are likely fine to parse this on the client and display the CN section in most cases. I did break out the CN into its own field in `x509.subject/issuer.common_name`. However, if we do want to aggregate on issuer in the future it's good to have the full distinguished name to do that on. This PR also refactors some `libbeat` code around parsing TLS versions and adds test coverage there as well. ```json { "tls": { "certificate_not_valid_after": "2020-07-16T03:15:39Z", "certificate_not_valid_before": "2019-08-16T01:40:25Z", "server": { "hash": { "sha1": "b7b4b89ef0d0caf39d223736f0fdbb03c7b426f1", "sha256": "12b00d04db0db8caa302bfde043e88f95baceb91e86ac143e93830b4bbec726d" }, "x509": { "issuer": { "common_name": "GlobalSign CloudSSL CA - SHA256 - G3", "distinguished_name": "CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE" }, "not_after": "2020-07-16T03:15:39Z", "not_before": "2019-08-16T01:40:25Z", "public_key_algorithm": "RSA", "public_key_size": 2048, "serial_number": "26610543540289562361990401194", "signature_algorithm": "SHA256-RSA", "subject": { "common_name": "r2.shared.global.fastly.net", "distinguished_name": "CN=r2.shared.global.fastly.net,O=Fastly\\, Inc.,L=San Francisco,ST=California,C=US" } } } } } ``` Run against TLS/Non-TLS endpoints (cherry picked from commit eb2dc26) * Use non-wildcard field for text * Remove wildcard type
This intends to implement the common core fields of x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, I propose that it should be nested under
fileand include thehashobject set as well. I also think it's reasonable for systems like packetbeat to log entries underclientandserverfor the TLS metadata.Related: #64