Uptycs is a powerful platform that brings vulnerability scanning and alerting to the OSQuery world. The most powerful/flexible option Uptycs provides as a means of notifying external services of alerts is via HTTP(S) request. At the time of writing this, Uptycs only supports user-configured headers and HTTP basic authentication as means of authenticating / self-identifying to external services.
Rather than exposing components of the Mozilla Defense Platform (MozDef) directly to the Internet with an arguably insecure auth. scheme, this software serves as something of a "bastion application" (similar to a bastion host).
In the case of uploading alert data to MozDef, we can afford to have a relatively relaxed threat model. We can, for example, accept that an attacker may even be able to exploit UptoMozDef, as this would only grant them the ability to push alert data to MozDef.
In developing UptoMozDef, Mozilla has taken the stance that
The less HTTP Basic Auth in the world, the better.
To handle authentication with a sufficient degree of security, UptoMozDef will check for a shared secret in the headers of requests and whitelist against those IPs that are part of Uptycs' platform.
To run UptoMozDef, you will need NodeJS. The latest
Long-Term Support (LTS) release is recommended. Once you have it installed,
verify that you can run both
Once the above prerequisites are satisfied, you can run UptoMozDef like so:
npm install SQS_QUEUE=queue_url UMD_SECRET=secret npm start
Note here that
UMD_SECRET is an environment variable that specifies the
shared secret that UptoMozDef will look for to authenticate requests from the
SQS_QUEUE environment variable must specify the URL of an AWS SQS queue
that UptoMozDef will be able to send messages to.
The UptoMozDef server will listen on port 8080 and accept POST requests to
Choosing a Secure Secret
The secret set via the
UMD_SECRET environment variable is the key piece of
information used to grant access to a client to have data sent to MozDef.
This being the cornerstone of UptoMozDef's security model, it is advised that
a strong and completely random secret be used.
You can use NodeJS to generate a secure secret like so:
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
Or, more simply, using openssl:
openssl rand -hex 32
Once you have deployed UptoMozDef to your preferred environment, you can configure Uptycs to send alerts to it by navigating to
Configuration -> Alert Rules -> [Select an alert] -> Add Notification
On this page, you will want to select "HTTP" from the dropdown menu for "Destination Types" under "Create a new one". Then configure the following:
- Name: UptoMozDef; or whatever you prefer
- URL: https://[public ip or domain]/uptycs
- Method: POST
- Key: Uptomozdef-Secret
- Value: [your shared secret]
Remember to click the "+" button to add the header to the configuration. Finally, finish creating the destination by clicking the "CREATE AND ADD HTTP" button.
Once this new destination is created, you will be able to select it under "Select an existing destination to add" next time you want to configure an alert rule.