Release/v10.8.4 (#1266)

* Update agent-manager to use http.Server with TLS 1.3 configuration

* Update the Bitdefender plugin to enforce the minimum required TLS version 1.3

* update nginx tls config to v1.3

* update changelog

* trigger action

* Allow agent dependencies download using powershell with tls v1.3

* allow only secure ciphersuites in tls 1.2 for agent dependencies

* remove auth in dependencies endpoint

* remove authentication when downloading dependencies from agent

---------

Co-authored-by: Yadian Llada Lopez <[email protected]>
Co-authored-by: Yorjander Hernandez Vergara <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -1,3 +1,3 @@
-# UTMStack 10.8.3 Release Notes
+# UTMStack 10.8.4 Release Notes
 
-- Fixed a potential delay in log input in O365, AWS, and Sophos Central integrations.
+- Enhanced security and compliance by upgrading several internal components—most notably the update server—to exclusively support TLS 1.3.

agent-manager/auth/dependencies_interceptor.go

@@ -1,11 +1,11 @@
 package updates
 
 import (
+	"crypto/tls"
 	"net/http"
 
 	"github.com/gin-contrib/gzip"
 	"github.com/gin-gonic/gin"
-	"github.com/utmstack/UTMStack/agent-manager/auth"
 	"github.com/utmstack/UTMStack/agent-manager/util"
 )
 
@@ -27,14 +27,38 @@ func ServeDependencies() {
 
 	r.NoRoute(notFound)
 
-	group := r.Group("/private", auth.HTTPAuthInterceptor())
+	group := r.Group("/private")
 	group.StaticFS("/dependencies", http.Dir("/dependencies"))
 
+	cert, err := tls.LoadX509KeyPair("/cert/utm.crt", "/cert/utm.key")
+	if err != nil {
+		util.Logger.ErrorF("failed to load certificates: %v", err)
+	}
+
+	tlsConfig := &tls.Config{
+		MinVersion:   tls.VersionTLS12,
+		Certificates: []tls.Certificate{cert},
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		},
+
+		PreferServerCipherSuites: true,
+	}
+
+	server := &http.Server{
+		Addr:      ":8080",
+		Handler:   r,
+		TLSConfig: tlsConfig,
+	}
+
 	util.Logger.Info("Starting HTTP server on port 8080")
-	if err := r.RunTLS(":8080", "/cert/utm.crt", "/cert/utm.key"); err != nil {
+	err = server.ListenAndServeTLS("", "")
+	if err != nil {
 		util.Logger.ErrorF("error starting HTTP server: %v", err)
-		return
 	}
+
 }
 
 func notFound(c *gin.Context) {

agent-manager/updates/updates.go

@@ -51,14 +51,8 @@ func CleanOldServices(cnf *config.Config) {
 
 	if oldVersion {
 		utils.Logger.Info("old version of agent found, downloading new version")
-		headers := map[string]string{
-			"key":  cnf.AgentKey,
-			"id":   fmt.Sprintf("%v", cnf.AgentID),
-			"type": "agent",
-		}
-
 		if runtime.GOOS != "darwin" {
-			if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, cnf.Server, config.DependenciesPort, fmt.Sprintf(config.UpdaterSelf, "")), headers, fmt.Sprintf(config.UpdaterSelf, "_new"), utils.GetMyPath(), cnf.SkipCertValidation); err != nil {
+			if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, cnf.Server, config.DependenciesPort, fmt.Sprintf(config.UpdaterSelf, "")), map[string]string{}, fmt.Sprintf(config.UpdaterSelf, "_new"), utils.GetMyPath(), cnf.SkipCertValidation); err != nil {
 				utils.Logger.LogF(100, "error downloading updater: %v", err)
 				return
 			}

agent/serv/clean-old.go

@@ -12,15 +12,13 @@ import (
 )
 
 func DownloadFirstDependencies(address string, authKey string, insecure bool) error {
-	headers := map[string]string{"connection-key": authKey}
-
-	if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, address, config.DependenciesPort, "version.json"), headers, "version.json", utils.GetMyPath(), insecure); err != nil {
+	if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, address, config.DependenciesPort, "version.json"), map[string]string{}, "version.json", utils.GetMyPath(), insecure); err != nil {
 		return fmt.Errorf("error downloading version.json : %v", err)
 	}
 
 	dependFiles := config.DependFiles
 	for _, file := range dependFiles {
-		if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, address, config.DependenciesPort, file), headers, file, utils.GetMyPath(), insecure); err != nil {
+		if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, address, config.DependenciesPort, file), map[string]string{}, file, utils.GetMyPath(), insecure); err != nil {
 			return fmt.Errorf("error downloading file %s: %v", file, err)
 		}
 	}

agent/updates/dependencies.go

@@ -29,13 +29,7 @@ func UpdateDependencies(cnf *config.Config) {
 	for {
 		time.Sleep(checkEvery)
 
-		headers := map[string]string{
-			"key":  cnf.AgentKey,
-			"id":   fmt.Sprintf("%v", cnf.AgentID),
-			"type": "agent",
-		}
-
-		if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, cnf.Server, config.DependenciesPort, "version.json"), headers, "version_new.json", utils.GetMyPath(), cnf.SkipCertValidation); err != nil {
+		if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, cnf.Server, config.DependenciesPort, "version.json"), map[string]string{}, "version_new.json", utils.GetMyPath(), cnf.SkipCertValidation); err != nil {
 			utils.Logger.ErrorF("error downloading version.json: %v", err)
 			continue
 		}
@@ -48,7 +42,7 @@ func UpdateDependencies(cnf *config.Config) {
 
 		if newVersion.Version != currentVersion.Version {
 			utils.Logger.Info("New version of agent found: %s", newVersion.Version)
-			if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, cnf.Server, config.DependenciesPort, fmt.Sprintf(config.ServiceFile, "")), headers, fmt.Sprintf(config.ServiceFile, "_new"), utils.GetMyPath(), cnf.SkipCertValidation); err != nil {
+			if err := utils.DownloadFile(fmt.Sprintf(config.DependUrl, cnf.Server, config.DependenciesPort, fmt.Sprintf(config.ServiceFile, "")), map[string]string{}, fmt.Sprintf(config.ServiceFile, "_new"), utils.GetMyPath(), cnf.SkipCertValidation); err != nil {
 				utils.Logger.ErrorF("error downloading agent: %v", err)
 				continue
 			}

agent/updates/update.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"net/http"
 	"path/filepath"
@@ -80,12 +81,17 @@ func ServerUp(cnf *types.ConfigurationSection, certsPath string) {
 		_, _ = w.Write([]byte("Server is up and running"))
 	}).Methods("GET")
 
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS13,
+	}
+
 	server := &http.Server{
 		Addr:           ":" + constants.GetConnectorPort(),
 		Handler:        r,
 		ReadTimeout:    10 * time.Second,
 		WriteTimeout:   10 * time.Second,
 		MaxHeaderBytes: 1 << 20,
+		TLSConfig:      tlsConfig,
 	}
 
 	go func() {

bitdefender/server/server.go

@@ -5,9 +5,10 @@ export const PLATFORM = [
         name: 'WINDOWS',
         install: `New-Item -ItemType Directory -Force -Path "C:\\Program Files\\UTMStack\\UTMStack Collectors\\AS400"; ` +
                   `cd "C:\\Program Files\\UTMStack\\UTMStack Collectors\\AS400"; ` +
-                  `Invoke-WebRequest -Uri "https://V_IP:9001/private/dependencies/collector/windows-as400-collector.zip" ` +
-                  `-OutFile ".\\windows-as400-collector.zip"; Expand-Archive -Path ".\\windows-as400-collector.zip" ` +
-                  `-DestinationPath "."; Remove-Item ".\\windows-as400-collector.zip"; Start-Process ".\\utmstack_collectors_installer.exe" ` +
+                  `& curl.exe -k -o ".\\windows-as400-collector.zip" ` +
+                  `"https://V_IP:9001/private/dependencies/collector/windows-as400-collector.zip"; ` +
+                  `Expand-Archive -Path ".\\windows-as400-collector.zip" -DestinationPath "."; ` +  
+                  `Remove-Item ".\\windows-as400-collector.zip"; Start-Process ".\\utmstack_collectors_installer.exe" ` +
                   `-ArgumentList 'install', 'as400', 'V_IP', '<secret>V_TOKEN</secret>' -NoNewWindow -Wait`,
 
       uninstall: `cd "C:\\Program Files\\UTMStack\\UTMStack Collectors\\AS400"; ` +
@@ -29,11 +30,11 @@ export const PLATFORM = [
         name: 'LINUX UBUNTU',
         install: `sudo bash -c "apt update -y && apt install wget unzip -y && mkdir -p ` +
                   `/opt/utmstack-linux-collectors/as400 && cd /opt/utmstack-linux-collectors/as400 && ` +
-                  `wget --no-check-certificate --header='connection-key: V_TOKEN' ` +
+                  `wget --no-check-certificate ` +
                   `https://V_IP:9001/private/dependencies/collector/linux-as400-collector.zip ` +
                   `&& unzip linux-as400-collector.zip && rm linux-as400-collector.zip && chmod -R 777 ` +
                   `utmstack_collectors_installer && ./utmstack_collectors_installer install as400 ` +
-                  `V_IP V_TOKEN"`,
+                  `V_IP <secret>V_TOKEN<secret>"`,
 
 
       uninstall: `sudo bash -c " cd /opt/utmstack-linux-collectors/as400 && ./utmstack_collectors_installer ` +

frontend/src/app/app-module/guides/guide-as400/constants.ts

@@ -37,7 +37,7 @@ export class GuideLinuxAgentComponent implements OnInit {
     const ip = window.location.host.includes(':') ? window.location.host.split(':')[0] : window.location.host;
 
     return `sudo bash -c "apt update -y && apt install wget -y && mkdir -p /opt/utmstack-linux-agent && \
-    wget --no-check-certificate --header='connection-key: <secret>${this.token}</secret>' -P /opt/utmstack-linux-agent \
+    wget --no-check-certificate -P /opt/utmstack-linux-agent \
     https://${ip}:9001/private/dependencies/agent/${installerName} && \
     chmod -R 777 /opt/utmstack-linux-agent/${installerName} && \
     /opt/utmstack-linux-agent/${installerName} install ${ip} <secret>${this.token}</secret> yes"`;
@@ -47,7 +47,7 @@ export class GuideLinuxAgentComponent implements OnInit {
     const ip = window.location.host.includes(':') ? window.location.host.split(':')[0] : window.location.host;
 
     return `sudo bash -c "yum install wget -y && mkdir -p /opt/utmstack-linux-agent && \
-    wget --no-check-certificate --header='connection-key: <secret>${this.token}</secret>' -P /opt/utmstack-linux-agent \
+    wget --no-check-certificate -P /opt/utmstack-linux-agent \
     https://${ip}:9001/private/dependencies/agent/${installerName} && \
     chmod -R 777 /opt/utmstack-linux-agent/${installerName} && \
     /opt/utmstack-linux-agent/${installerName} install ${ip} <secret>${this.token}</secret> yes"`;
@@ -57,7 +57,7 @@ export class GuideLinuxAgentComponent implements OnInit {
     const ip = window.location.host.includes(':') ? window.location.host.split(':')[0] : window.location.host;
 
     return `sudo bash -c "dnf install wget -y && mkdir -p /opt/utmstack-linux-agent && \
-    wget --no-check-certificate --header='connection-key: <secret>${this.token}</secret>' -P /opt/utmstack-linux-agent \
+    wget --no-check-certificate -P /opt/utmstack-linux-agent \
     https://${ip}:9001/private/dependencies/agent/${installerName} && \
     chmod -R 777 /opt/utmstack-linux-agent/${installerName} && \
     /opt/utmstack-linux-agent/${installerName} install ${ip} <secret>${this.token}</secret> yes"`;

frontend/src/app/app-module/guides/guide-linux-agent/guide-linux-agent.component.ts

@@ -56,8 +56,7 @@ export class GuideWinlogbeatComponent implements OnInit {
     const ip = window.location.host.includes(':') ? window.location.host.split(':')[0] : window.location.host;
 
     return `New-Item -ItemType Directory -Force -Path "C:\\Program Files\\UTMStack\\UTMStack Agent"; ` +
-      `& curl.exe -k -H "connection-key: <secret>${this.token}</secret>" ` +
-      `-o "C:\\Program Files\\UTMStack\\UTMStack Agent\\${arch}" ` +
+      `& curl.exe -k -o "C:\\Program Files\\UTMStack\\UTMStack Agent\\${arch}" ` +
       `"https://${ip}:9001/private/dependencies/agent/${arch}"; ` +
       `Start-Process "C:\\Program Files\\UTMStack\\UTMStack Agent\\${arch}" ` +
       `-ArgumentList 'install', '${ip}', '<secret>${this.token}</secret>', 'yes' -NoNewWindow -Wait`;