Skip to content

Latest commit

 

History

History
132 lines (95 loc) · 8.04 KB

mitigations.md

File metadata and controls

132 lines (95 loc) · 8.04 KB

Mitigation Strategies Analysis for apache/skywalking

Mitigation Strategy: Authentication and Authorization (OAP Server & UI)

Description: 1. Choose Authentication Method: Select a supported authentication method within SkyWalking (gRPC with TLS, HTTP Basic Auth, or a custom provider). 2. Configure in application.yml (OAP): Modify the application.yml file of the OAP server to enable and configure the chosen authentication provider. This includes setting up user stores, credentials, and any necessary certificates. 3. Configure UI Authentication: Configure the SkyWalking UI to use the same authentication mechanism as the OAP server, ensuring consistency. 4. Define Roles (RBAC): Within SkyWalking's configuration (likely application.yml or a related file), define roles with specific permissions (read-only, write access to certain data, etc.). 5. Assign Users to Roles: Map users or groups (defined within the chosen authentication provider) to the defined roles. 6. Enforce Authentication: Ensure that all relevant endpoints (gRPC and HTTP) on the OAP server and UI require authentication. Disable any anonymous access options unless absolutely necessary and strictly controlled.

  • Threats Mitigated:

    • Unauthorized Access to OAP Server: (Severity: Critical)
    • Unauthorized Access to UI: (Severity: High)
    • Data Exfiltration (Indirectly): (Severity: High)
    • Malicious Data Injection (Indirectly): (Severity: High)

  • Impact:

    • Unauthorized Access: Risk significantly reduced.
    • Data Exfiltration: Risk reduced.
    • Malicious Data Injection: Risk reduced.

  • Currently Implemented:

    • OAP Server: SkyWalking provides the mechanisms (gRPC with TLS, HTTP Basic Auth). Configuration is in application.yml.
    • UI: Similar support exists in the UI configuration.

  • Missing Implementation:

    • OAP Server & UI: The default configurations often lack strong authentication. Active configuration and enforcement are crucial. RBAC is often underutilized.

Mitigation Strategy: Agent Authentication

Description: 1. Enable Agent Authentication (OAP): In the OAP server's application.yml file, configure the settings to require authentication from agents. This usually involves enabling a token-based authentication mechanism. 2. Configure Agent Tokens: Generate unique tokens for each agent (or group of agents). 3. Configure Agents: Configure each SkyWalking agent (in its respective configuration file) to provide the assigned token when connecting to the OAP server.

  • Threats Mitigated:

    • Malicious Data Injection (Rogue Agent): (Severity: High)

  • Impact:

    • Malicious Data Injection: Risk significantly reduced.

  • Currently Implemented:

    • OAP Server & Agents: SkyWalking supports agent authentication using tokens. Configuration is in application.yml (OAP) and the agent's configuration file.

  • Missing Implementation:

    • OAP Server & Agents: Token-based authentication is often not enabled or enforced.

Mitigation Strategy: Encryption in Transit (TLS - Configuration within SkyWalking)

Description: 1. Obtain Certificates: Obtain TLS certificates (though this is technically external, the use of them is within SkyWalking). 2. Configure TLS (OAP): In the OAP server's application.yml, configure the settings to enable HTTPS (TLS) for both gRPC and HTTP communication. This involves specifying the paths to the certificate and key files. 3. Configure Agents: Configure the SkyWalking agents to connect to the OAP server using HTTPS (the secure URL). 4. Configure UI: Configure the SkyWalking UI to use HTTPS. 5. Enforce HTTPS: Disable any HTTP (non-TLS) listeners on the OAP server and UI. 6. Cipher Suites (OAP): Within the application.yml (or a related configuration file), specify a list of allowed, strong TLS cipher suites.

  • Threats Mitigated:

    • Data Exfiltration (Eavesdropping): (Severity: High)
    • Man-in-the-Middle Attacks: (Severity: High)

  • Impact:

    • Data Exfiltration: Risk significantly reduced.
    • Man-in-the-Middle Attacks: Risk significantly reduced.

  • Currently Implemented:

    • OAP Server & Agents: SkyWalking supports TLS configuration for agent-OAP communication and OAP server API access. Configuration is in application.yml.
    • UI: Supports HTTPS.

  • Missing Implementation:

    • OAP Server & Agents: TLS is often not enforced, or weak cipher suites are allowed.

Mitigation Strategy: Rate Limiting (OAP Server - SkyWalking Configuration)

Description: 1. Configure Rate Limits (OAP): In the OAP server's application.yml file, configure the rate limiting settings. SkyWalking provides options to limit the number of requests per unit of time from agents or IP addresses. Adjust these settings based on expected load and server capacity.

  • Threats Mitigated:

    • Denial of Service (DoS): (Severity: Medium)

  • Impact:

    • DoS: Risk reduced.

  • Currently Implemented:

    • OAP Server: SkyWalking provides some built-in rate limiting capabilities, configurable in application.yml.

  • Missing Implementation:

    • OAP Server: The default rate limits may be too permissive and require tuning.

Mitigation Strategy: Input Validation (Awareness and Custom Extensions)

Description: * Custom Extensions: If you develop custom gRPC services, receivers, or other extensions that interact with the OAP server, you must implement rigorous input validation within your custom code. SkyWalking's core code likely has some validation, but extensions are your responsibility. * UI Customization: If customizing the UI, ensure any custom components properly sanitize user inputs.

  • Threats Mitigated:

    • Malicious Data Injection (Custom Extensions): (Severity: High)
    • Cross-Site Scripting (XSS) (UI Customization): (Severity: High)

  • Impact:

    • Malicious Data Injection: Risk reduced (for custom extensions).
    • XSS: Risk reduced (for UI customizations).

  • Currently Implemented:

    • OAP Server (Core): SkyWalking likely has some internal input validation.
    • UI (Core): The core UI should have output encoding and likely a CSP.

  • Missing Implementation:

    • OAP Server (Custom Extensions): This is a critical area for custom extensions. Developers must implement thorough input validation.
    • UI (Customization): If the UI is customized, developers must ensure proper input sanitization.

Mitigation Strategy: Audit Logging (Configuration within SkyWalking)

Description: 1. Enable Audit Logging (OAP): Within the OAP Server's configuration (application.yml or related files), enable detailed audit logging. Configure the logging level and destination. 2. UI Logging: Configure logging within the UI to capture access and actions.

  • Threats Mitigated:

    • All Threats (Indirectly): (Severity: Varies) - Improves detection and response.

  • Impact:

    • All Threats: Improves detection and response capabilities.

  • Currently Implemented:

    • OAP Server: SkyWalking provides logging capabilities.
    • UI: Logging capabilities exist.

  • Missing Implementation:

    • Comprehensive Logging: Often, logging is not enabled at a sufficient level of detail within the SkyWalking configuration.