Skip to content
Serves a simple API endpoint for Uptycs to send alerts for further shipping to MozDef
JavaScript
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cloudformation
src
.gitignore
LICENSE
README.md
package-lock.json
package.json

README.md

UptoMozDef

Uptycs is a powerful platform that brings vulnerability scanning and alerting to the OSQuery world. The most powerful/flexible option Uptycs provides as a means of notifying external services of alerts is via HTTP(S) request. At the time of writing this, Uptycs only supports user-configured headers and HTTP basic authentication as means of authenticating / self-identifying to external services.

Rather than exposing components of the Mozilla Defense Platform (MozDef) directly to the Internet with an arguably insecure auth. scheme, this software serves as something of a "bastion application" (similar to a bastion host).

Security

In the case of uploading alert data to MozDef, we can afford to have a relatively relaxed threat model. We can, for example, accept that an attacker may even be able to exploit UptoMozDef, as this would only grant them the ability to push alert data to MozDef.

In developing UptoMozDef, Mozilla has taken the stance that

The less HTTP Basic Auth in the world, the better.

To handle authentication with a sufficient degree of security, UptoMozDef will check for a shared secret in the headers of requests and whitelist against those IPs that are part of Uptycs' platform.

Running UptoMozDef

To run UptoMozDef, you will need NodeJS. The latest Long-Term Support (LTS) release is recommended. Once you have it installed, verify that you can run both node and npm.

Once the above prerequisites are satisfied, you can run UptoMozDef like so:

npm install
SQS_QUEUE=queue_url UMD_SECRET=secret npm start

Note here that UMD_SECRET is an environment variable that specifies the shared secret that UptoMozDef will look for to authenticate requests from the Uptycs platform.

The SQS_QUEUE environment variable must specify the URL of an AWS SQS queue that UptoMozDef will be able to send messages to.

The UptoMozDef server will listen on port 8080 and accept POST requests to /uptycs.

Choosing a Secure Secret

The secret set via the UMD_SECRET environment variable is the key piece of information used to grant access to a client to have data sent to MozDef. This being the cornerstone of UptoMozDef's security model, it is advised that a strong and completely random secret be used.

You can use NodeJS to generate a secure secret like so:

node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Or, more simply, using openssl:

openssl rand -hex 32

Configuring Uptycs

Once you have deployed UptoMozDef to your preferred environment, you can configure Uptycs to send alerts to it by navigating to

Configuration -> Alert Rules -> [Select an alert] -> Add Notification

On this page, you will want to select "HTTP" from the dropdown menu for "Destination Types" under "Create a new one". Then configure the following:

  1. Name: UptoMozDef; or whatever you prefer
  2. URL: https://[public ip or domain]/uptycs
  3. Method: POST
  4. Headers
    1. Key: Uptomozdef-Secret
    2. Value: [your shared secret]

Remember to click the "+" button to add the header to the configuration. Finally, finish creating the destination by clicking the "CREATE AND ADD HTTP" button.

Once this new destination is created, you will be able to select it under "Select an existing destination to add" next time you want to configure an alert rule.

You can’t perform that action at this time.