Security Best Practices
Here you find a list of all security best practices that should be considered when running logprep in a production environment.
To compare your production environment against these best practices we provide a
Best Practice Check List
for your use.
Security Best Practice - HttpGetter
If recourses are loaded via HttpGetters it is recommended to
use a credential file to securely manage authentication
use preferably the
MTLSCredentials
orOAuth2PasswordFlowCredentials
(with client-auth)use always HTTPS connections as HTTPS is not enforced by logprep
consider that the HttpGetter does not support pagination. If the resource is provided by an endpoint with pagination it could lead to a loss of data.
Reference to original description
Security Best Practice - Configuration - Combining multiple configuration files
Consider when using multiple configuration files logprep will reject all configuration files if one can not be retrieved or is not valid. If using multiple files ensure that all can be loaded safely and that all endpoints (if using http resources) are accessible.
Reference to original description
Security Best Practice - Configuration Environment Variables
As it is possible to replace all configuration options with environment variables it is
recommended to use these especially for sensitive information like usernames, password, secrets
or hash salts.
Examples where this could be useful would be the key
for the hmac calculation (see
input > preprocessing) or the user
/secret
for the elastic-/opensearch
connectors.
Reference to original description
Security Best Practice - Configuration Refresh Interval
The refresh interval for the configuration shouldn't be set too high in production
environments.
It is suggested to not set a value higher than 300
(5 min).
That way configuration updates are propagated fairly quickly instead of once a day.
It should also be noted that a new configuration file will be read as long as it is a valid config. There is no further check to ensure credibility.
In case a new configuration could not be retrieved successfully and the
config_refresh_interval
is already reduced automatically to 5 seconds it should be
noted that this could lead to a blocking behavior or an significant reduction in performance
as logprep is often retrying to reload the configuration.
Because of that ensure that the configuration endpoint is always available.
Reference to original description
Security Best Practice - Logprep Log-Level
The loglevel of logprep should be set to "INFO"
in production environments, as the
"DEBUG"
level could expose sensitive events into the log.
Reference to original description
Security Best Practice - Metrics Configuration
Additionaly to the below it is recommended to configure ssl on the metrics server endpoint
metrics:
enabled: true
port: 9000
uvicorn_config:
access_log: true
server_header: false
date_header: false
workers: 1
Reference to original description
Security Best Practice - Input Connectors
It is advised to only use the ConfluentKafkaInput
, HttpConnector
or
FileInput
as input connectors in production environments.
The connectors DummyInput
, JsonInput
and JsonlInput
are mainly designed
for debugging purposes.
Furthermore, it is suggested to enable the HMAC
preprocessor to ensure no tempering of
processed events.
hmac:
target: <RAW_MSG>
key: <SECRET>
output_field: HMAC
Reference to original description
Security Best Practice - Http Input Connector - Authentication
- When using basic auth with the http input connector the following points should be taken into account:
basic auth must only be used with strong passwords
basic auth must only be used with TLS encryption
avoid to reveal your plaintext secrets in public repositories
Reference to original description
Security Best Practice - Uvicorn Webserver Configuration
Additionaly to the below it is recommended to configure ssl on the metrics server endpoint
uvicorn_config:
access_log: true
server_header: false
date_header: false
workers: 2
Reference to original description
Security Best Practice - Input Connector - HttpConnector
It is suggested to enable the collection of meta data (collect_meta: True
) to
ensure transparency of the incoming events.
Reference to original description
Security Best Practice - Output Connectors
Similar to the input connectors there is a list of available output connectors of which some
are only meant for debugging, namely: ConsoleOutput
and JsonlOutput
.
It is advised to not use these in production environments.
When configuring multiple outputs it is also recommend to only use one default output and to define other outputs only for storing custom extra data. Otherwise it cannot be guaranteed that all events are safely stored.
Reference to original description
Security Best Practice - Output Connectors - ElasticsearchOutput
It is suggested to enable a secure message transfer by setting user
,
secret
and a valid ca_cert
.
Reference to original description
Security Best Practice - Output Connectors - OpensearchOutput
It is suggested to enable a secure message transfer by setting user
,
secret
and a valid ca_cert
.
Reference to original description
Security Best Practice - Output Connectors - S3Output
It is suggested to activate SSL for a secure connection. In order to do that set
use_ssl
and the corresponding ca_cert
.
Reference to original description
Security Best Practice - Processor - Amides Model
Ensure that you only use models from trusted sources, as it can be used to inject python code into the runtime.
Reference to original description
Security Best Practice - Processor - GenericAdder
When using a sql database to enrich events, ensure that it is a database which is protected with a user credentials.
Reference to original description
Security Best Practice - Processor - Pseudonymizer
The pseudonymizer works with two public keys for different roles. It is suggested to ensure that two different keys are being used such that the separation of the roles can be maintained.
Reference to original description
Security Best Practice - Processor - Requester
As the requester can execute arbitrary http requests it is advised to execute requests only
against known and trusted endpoints and that the communication is protected with a valid
SSL-Certificate. Do so by setting a certificate path with the option cert
.
To ensure that the communication is trusted it is also recommended to set either an
Authorization
-Header or a corresponding authentication with a username and password, via
auth
.