Security
The following security considerations have been taken into account during the development of this software.
Diagram
Summary
| Name | Value |
|---|---|
| Total Threats | 20 |
| Total Mitigated | 18 |
| Not Migitated | 2 |
List of threats
| # | Status | Title | Type | Process/Data Flow/Store | Description | Mitigations |
|---|---|---|---|---|---|---|
| 1 | Mitigated* | Unauthorized API access | Information disclosure, tampering with data, elevation of privilige | HAProxy Ingress | Unauthorized access could allow someone to brute force the basic auth credentials giving them access to the API | The reverse proxy only proxies requests from inside the onpremise network, access from outside requires a wireguard VPN connection. This effectively requires an attacker to gain physical access to the network in order to access the service. |
| 2 | Mitigated | Leaked Bitwarden Credentials | Information Disclosure | WindAutomat LXC | Leaked credentials would allow an attacker to retrieve secrets such as ssh private keys, api tokens, database password etc. | Encryption at rest of the bitwarden access token results in the decrypted secret only being stored in memory, preventing leaked credentials if an attacker gains access to the filesystem. |
| 3 | Mitigated | Leaked secrets, private keys, passwords | Information Disclosure, tampering with data, elevation of privilege | Bitwarden Secret Manager | Leaked secrets would allow an attacker to access servers, databases, apis, services. | All secrets are stored encrypted using the Bitwarden Secret Manager. Decrypted secrets are only available in memory with the exception of ssh private keys. |
| 4 | Mitigated | Leaked ssh keys | Information Disclosure, tampering with data, elevation of privilege | WindAutomat Server | Leaked ssh keys would allow an attacker to access servers and retrieve or tamper with data. | Private Keys are only stored in ephemeral storage. In addition, they are actively removed when no longer needed. On top of this, each machine is accessed using a separate private key. In case of a leaked key only one machine is compromised. |
| 5 | Mitigated | Unauthorized shell access | Information Disclosure, tampering with data, elevation of privilege | Target machines | SSH password authentication could be brute forced by an attacker | SSH password authentication is disabled on the target machines. |
| 6 | Mitigated | Unauthorized sudo access on target machines | Information Disclosure, tampering with data, elevation of privilege | Target machines | Passwordless sudo access could allow an attacker to execute arbitrary commands as root after gaining access | Passwordless sudo has only been enabled for the commands required to perform updates, limiting the extent of tampering as much as possible. |
| 7 | Mitigated | SQL Injection | Tampering with data, Information disclosure | PostgreSQL Database | Unsafe queries could be made by malicious actors when user input is not processed properly | Only supply user input to the database using parameterized queries. This is enforced by the postgres.js package used in the backend. |
| 8 | Mitigated | Unauthorized database migrations | Tampering with data | WindAutomat CLI | Unprotected access to database migrations could allow an attacker to change the database schema resulting in an incompatible database schema or data loss | Database migrations can only be applied by someone with console access and the encryption secret. |
| 9 | Mitigated | MITM API | Tampering with data, Information disclosure | JSON-RPC API | Insecure HTTP requests would allow for (Hu)Man in the Middle attacks | Upgrade HTTP requests to HTTPS and only proxy traffic on port 443 HTTPS. |
| 10 | Mitigated* | XSS | Tampering with data, Information disclosure | Web Client | Executing user supplied data could lead to malicious javascript execution | The Content Security Policy header is set to a restrictive value only allowing same origin for images and scripts and disallowing frames. The frontend is currently only used for unlocking the encrypted bitwarden token. This data is not executed. Once the frontend becomes more comprehensive, sanitization of user input is required. |
| 11 | Mitigated | Privilege escalation container escape | Tampering with Data, Information Disclosure, Elevation of privilege | WindAutomat LXC | Not limiting a container's capabilities could allow malicious actors to escape the container when remote shell execution is possible | The WindAutomat application is deployed in an unprivliged LXC with processes running as non root user to reduce the attack surface. |
| 12 | Mitigated | Privilige escalation Backend Requests | Elevation of privilege | HAProxy Ingress | Unauthorized access to the backend | The reverse proxy rejects all requests without correct Basic Auth credentials. Firewall rules prevent any access to the windautomat port that do no originate from the reverse proxy. |
| 13 | Mitigated | Data leak CORS Misconfiguration | Tampering with data, Information disclosure | Backend | CORS misconfiguration could allow unauthorized data access via malicious third party sites. | CORS Headers are set to only allow requests from our web client. |
| 14 | Mitigated | Leaked GitHub credentials | Tampering with data, Elevation of privilege | GitHub | Leaked credentials could allow an attacker to compromise the repository containing source code and deployment configuration | Two factor authentication using hardware keys mitigates against leaking credentials. Additionally, all commits require signing using private keys |
| 15 | Mitigated* | Vulnerable Dependencies | Tampering with data, Information disclosure | NPM Repo: Download Dependencies | Packages could contain vulnerabilities, allowing a wide range of attacks depending on the vulnerability in the package. | Usage of common, well maintained, lightweight libraries to reduce attack surface. Additionally, the number of dependencies is kept to a minimum. |
| 16 | Mitigated | Supply chain deployed binary | Tampering with data, information disclosure | GitHub Releases | A malicious actor could upload an untrusted binary which could then be deployed to the WindAutomat LXC | Releases can only be published by authorized people with access to the github releases. Additionally, the deployment action is always manually triggered by someone with repo access. |
| 17 | Mitigated | Privilege escalation / data leak grafana | Information Disclosure, Elevation of privilege | Grafana | Unauthorized access to the prometheus instance or grafana dashboards could disclose data attackers can leverage in an attack | Prometheus initiates the data scrape process, requiring tampering with dhcp or dns servers to supply malicious data, reading data and dashboards is only possible with password access to the grafana cloud instance |
| 18 | Mitigated | Logging/Monitoring failures | Denial of Service | Backend | Unexpected spikes in errors or request rates and response times can be indicators for an attack | Monitor the backend according to SRE by googles four golden signals: Latency, Traffic, Errors, Saturation. The metrics are visualised using a Grafana Dashboard. Alerting thresholds have been defined and are ready to be connected to alerting infrastructure. |
| 19 | Open | DOS: | Denial of Service | Backend | A malicious actor or a malfunctioning system could overwhelm the service with a extraordinarily high amount of traffic | Very limited protection due to budget restraints. Rate limiting at the haproxy ingress protects from unsophisticated DoS attacks. |
| 20 | Somewhat mitigated | human layer | Spoofing, Tampering, Repudiation, Information disclosure, Elevation of privilege | GitHub | Contributors could be compromised by phishing or social engineering attacks | All people with access to the project are experienced software engineers and/or IT administrators. Hardware keys are used for TFA to mitigate phishing attacks. |