-
Notifications
You must be signed in to change notification settings - Fork 159
Action Confirmations Proposal
Empire exposes some pretty powerful features, like allowing you to easily run and attach to a container inside your infrastructure. Obviously, this poses a potential security risk. While work is being done to add more granular access control, that still doesn't fully solve the problem of an employees laptop getting stolen, or a users API key being exposed.
To address this, we'd like to propose "Action Confirmations" (name suggestions?). When invoking a potentially sensitive command, Empire will be able to consult a third, to request confirmation that the action being performed should be allowed. If the action is malicious (e.g. a leaked API token), then it can be denied.
To start, we plan to implement a Duo integration, using 2fa push notifications. When a sensitive action is performed, Empire would send the user a Duo push. Once the user confirms the action, Empire will continue.
In the future, this could be expanded to support other means of confirmation. For example, I could envision a slack integration that sends the user a DM for confirmation, or posts to a channel asking for multiple users to confirm the action.
Implementation wise, this will just be a simple interface that the empire.Empire
struct will consult to authorize the action:
// ActionConfirmer is an interface that can be implemented to confirm that an
// action is allowed.
type ActionConfirmer interface {
// Confirm should notify the third party of the action being performed,
// then block until the action has been confirmed.
Confirm(ctx context.Context, user *empire.User, action string, resource string, params map[string]string) (bool, error)
}
This may dovetail into the policy documents being added in https://github.com/remind101/empire/pull/987 to configure what Empire actions should require confirmation.