Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a way to pass credentials in an obfuscated way during process-creation? #754

Open
K0nne opened this issue Sep 17, 2024 · 3 comments
Open

Is there a way to pass credentials in an obfuscated way during process-creation? #754

K0nne opened this issue Sep 17, 2024 · 3 comments
Assignees
@LordHepipud
Labels
Security A security flaw within the Icinga PowerShell Framework
Milestone
v1.13.0-Beta3

Comments

@K0nne
Copy link

K0nne commented Sep 17, 2024

Hello,

it came to our attention that some monitoring passwords are logged in plaintext into the eventlog:

image

Is there a way to pass the credentials in an obfuscated way during process-creation to mitigate this problem?
@LordHepipud LordHepipud added the Security A security flaw within the Icinga PowerShell Framework label Sep 26, 2024
@LordHepipud LordHepipud self-assigned this Sep 26, 2024
@LordHepipud LordHepipud added this to the v1.13.0-Beta3 milestone Sep 26, 2024
@K0nne
Copy link
Author

K0nne commented Sep 30, 2024
edited
Loading

The original eventlog location is unknown so far, but we found another location:

image

@afeefghannam89
Copy link
Member

rf/NC/830241

@LordHepipud
Copy link
Collaborator

I did some research on this topic and it is not that easy to resolve this issue. One way would be, to disable the logging to the PowerShell Eventlog, which catches all calls done.
However, for security monitoring, this log should remain to ensure that SIEM tools can fetch those logs and analyze the content to ensure no harmful code is executed.

For the Icinga for Windows log there is currently a test scenario developed to ensure that SecureString arguments are never dumped as objects into the EventLog. This will ship with v1.13.0.

To resolve this issue, my suggestion is to use the Icinga Agent with the "ifw-api" Feature.

By doing so, the Icinga Agent will execute all calls directly toward the Icinga for Windows API, not creating a new PowerShell process. Therefore, the call is not logged inside the EventLog but still executed with the provided arguments,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LordHepipud LordHepipud

Labels
Security A security flaw within the Icinga PowerShell Framework
Projects
None yet
Milestone
v1.13.0-Beta3
Development

No branches or pull requests
3 participants
@LordHepipud @K0nne @afeefghannam89