Skip to content

mitigations.md

Latest commit

 

History

History
167 lines (124 loc) · 11.4 KB

mitigations.md

File metadata and controls

167 lines (124 loc) · 11.4 KB

Mitigation Strategies Analysis for apache/mesos

Mitigation Strategy: Enforce Strong Authentication (Mesos-Specific)

  • Mitigation Strategy: Implement Kerberos Authentication within Mesos

  • Description:

    1. Configure Mesos Master: On the Mesos master, set the following flags:
      • --authenticate_agents=true
      • --authenticate_frameworks=true
      • --authenticate_http_readwrite=true
      • --kerberos_principal=<master_principal> (e.g., mesos/master.example.com@EXAMPLE.COM)
      • --kerberos_keytab=<path_to_master_keytab>
    2. Configure Mesos Agents: On each Mesos agent, set the following flags:
      • --authenticatee=kerberos
      • --kerberos_principal=<agent_principal> (e.g., mesos/agent1.example.com@EXAMPLE.COM)
      • --kerberos_keytab=<path_to_agent_keytab>
    3. Configure Frameworks: Frameworks must be modified to use the Mesos Kerberos authentication mechanism. This requires code changes within each framework to utilize the Mesos API and provide Kerberos credentials.
    4. Obtain Kerberos Tickets: Ensure users and frameworks obtain valid Kerberos tickets before interacting with Mesos.

  • Threats Mitigated:

    • Unauthorized Access (Critical): Prevents unauthorized users/frameworks from interacting with the Mesos cluster.
    • Man-in-the-Middle Attacks (High): Kerberos (with mutual authentication) helps prevent impersonation.
    • Replay Attacks (Medium): Limited ticket lifetimes reduce the replay attack window.

  • Impact:

    • Unauthorized Access: Risk significantly reduced (near elimination with proper implementation).
    • Man-in-the-Middle Attacks: Risk significantly reduced.
    • Replay Attacks: Risk reduced.

  • Currently Implemented: Partially. Kerberos is configured on the Mesos master and agents (src/master/master.cpp, src/slave/slave.cpp).

  • Missing Implementation: Frameworks are not updated to use Kerberos. This is a critical gap. Requires code changes in all frameworks (e.g., frameworks/spark/spark_executor.cpp, frameworks/marathon/marathon.scala). User documentation needs updating.

Mitigation Strategy: Fine-Grained Authorization (ACLs)

  • Mitigation Strategy: Implement and Regularly Audit Mesos ACLs

  • Description:

    1. Create ACL JSON File: Create a JSON file (e.g., acls.json) defining access control rules. Each rule specifies:
      • principals: Principals (users, frameworks, roles) the rule applies to. Use "type": "ANY", "type": "SOME", or "type": "NONE".
      • permissions: Permissions allowed or denied. Use "type": "ANY", "type": "SOME", or "type": "NONE".
      • objects: Objects the rule applies to (tasks, frameworks, endpoints). Use the same "type" options.
    2. Configure Mesos Master: On the Mesos master, set the --acls flag: --acls=file:///path/to/acls.json.
    3. Define ACLs for Key Actions: Define ACLs for at least:
      • register_frameworks
      • run_tasks
      • shutdown_frameworks
      • get_endpoints
      • teardown
    4. Principle of Least Privilege: Grant only the minimum necessary permissions.
    5. Regular Audits: Review and update ACLs regularly (e.g., every 3 months).

  • Threats Mitigated:

    • Unauthorized Actions (Critical): Prevents unauthorized actions within the cluster.
    • Privilege Escalation (High): Limits the ability to gain higher privileges.
    • Information Disclosure (Medium): Restricts access to sensitive endpoints.

  • Impact:

    • Unauthorized Actions: Risk significantly reduced (depends on ACL granularity).
    • Privilege Escalation: Risk significantly reduced.
    • Information Disclosure: Risk reduced.

  • Currently Implemented: Basic ACLs exist in config/acls.json, but they are incomplete and don't follow least privilege.

  • Missing Implementation: acls.json needs a complete overhaul to be granular and cover all actions/endpoints. Regular audits are not performed. Integration with role management is needed.

Mitigation Strategy: TLS Encryption for Mesos Communication

  • Mitigation Strategy: Enable TLS for All Mesos Communication Channels using Mesos flags.

  • Description:

    1. Generate Certificates: Have TLS certificates and keys for the master and each agent.
    2. Configure Mesos Master: On the Mesos master, set:
      • --ssl_key_file=<path_to_master_key>
      • --ssl_cert_file=<path_to_master_cert>
    3. Configure Mesos Agents: On each agent, set:
      • --ssl_key_file=<path_to_agent_key>
      • --ssl_cert_file=<path_to_agent_cert>
    4. Configure Frameworks: Frameworks must be modified to use TLS via the Mesos API, providing certificate/key information. This is a code change within each framework.
    5. Verify Certificates: Ensure all components are configured to verify certificates.

  • Threats Mitigated:

    • Eavesdropping (High): Prevents interception of data between Mesos components.
    • Man-in-the-Middle Attacks (High): Prevents impersonation and data injection.
    • Data Tampering (High): Ensures data integrity.

  • Impact:

    • Eavesdropping: Risk eliminated (with proper TLS and strong ciphers).
    • Man-in-the-Middle Attacks: Risk significantly reduced (depends on verification).
    • Data Tampering: Risk significantly reduced.

  • Currently Implemented: TLS is enabled for master-agent communication (src/master/master.cpp, src/slave/slave.cpp).

  • Missing Implementation: Frameworks are not configured to use TLS. This is a critical gap, requiring code changes in all frameworks. Strict certificate verification is not enforced. A robust certificate management process is needed.

Mitigation Strategy: Use the Mesos Containerizer and Configure Resource Isolation (Mesos-Specific)

  • Mitigation Strategy: Utilize Mesos Containerizer and Configure Resource Isolation using Mesos flags and task definitions.

  • Description:

    1. Enable Mesos Containerizer: On each Mesos agent, set --containerizers=mesos.
    2. Enable Isolators: On each Mesos agent, enable isolators: --isolation=filesystem/linux,cpu/cfs,mem/cgroups (adjust as needed).
    3. Configure Resource Limits: In the TaskInfo message (within framework code), specify resource limits (CPU, memory, disk) for each container.
    4. Limit Capabilities: In the ContainerInfo message (within framework code), restrict capabilities using the capabilities field. Drop unnecessary capabilities.
    5. Non-Root User: In the TaskInfo (within framework code), specify a non-root user using the user field.

  • Threats Mitigated:

    • Container Escape (High): Isolation (cgroups, namespaces, capabilities) makes escape harder.
    • Resource Exhaustion (Medium): Resource limits prevent denial-of-service.
    • Privilege Escalation (High): Limited capabilities and non-root user reduce escalation potential.

  • Impact:

    • Container Escape: Risk significantly reduced.
    • Resource Exhaustion: Risk significantly reduced.
    • Privilege Escalation: Risk significantly reduced.

  • Currently Implemented: Mesos Containerizer and basic isolators are enabled (src/slave/slave.cpp).

  • Missing Implementation: Resource limits are not consistently enforced in all task definitions (framework code). Capability restrictions are not implemented (framework code). Running containers as non-root is not consistently enforced (framework code). This requires changes to all frameworks.

Mitigation Strategy: Restrict Access to HTTP Endpoints (Mesos-Specific)

  • Mitigation Strategy: Use Mesos ACLs to control access to HTTP endpoints.

  • Description:

    1. Identify Sensitive Endpoints: Determine which Mesos HTTP endpoints expose sensitive information or allow control over the cluster.
    2. Modify ACLs: Within the acls.json file (configured via the --acls flag on the master), add rules to the get_endpoints permission.
      • Specify the principals who should be allowed to access specific endpoints.
      • Use "type": "SOME" and list specific principals, or "type": "NONE" to deny access to everyone.
      • Specify the objects to be the specific endpoint paths (e.g., /metrics/snapshot, /state, /master/state-summary).
    3. Authentication for Endpoints: Use the --authenticate_http_readonly and --authenticate_http_readwrite flags on the Mesos master to require authentication for accessing HTTP endpoints.

  • Threats Mitigated:

    • Information Disclosure (Medium/High): Prevents unauthorized access to sensitive cluster information.
    • Unauthorized Actions (High): Prevents unauthorized control of the cluster via HTTP endpoints.

  • Impact:

    • Information Disclosure: Risk significantly reduced, depending on the completeness of the ACLs.
    • Unauthorized Actions: Risk significantly reduced.

  • Currently Implemented: Basic get_endpoints ACLs might exist, but are likely insufficient. Authentication flags may be set.

  • Missing Implementation: Comprehensive ACLs specifically targeting sensitive endpoints are needed. Regular review and updates of these ACLs are crucial. Needs to be combined with strong authentication.

Mitigation Strategy: Secrets Management (Using Mesos Secrets - if available)

  • Mitigation Strategy: Utilize Mesos's built-in secrets support (if available in the Mesos version).

  • Description:

    1. Enable Secrets: If using a Mesos version that supports secrets, ensure the feature is enabled on the Mesos master. This may involve setting specific flags.
    2. Define Secrets: Define secrets on the Mesos master. The exact mechanism depends on the Mesos version and configuration.
    3. Reference Secrets in Task Definitions: Within the framework code, when constructing the TaskInfo message, reference the defined secrets. This allows the secrets to be securely passed to the container.
    4. Avoid Environment Variables Directly: Do not pass secrets directly through environment variables if using Mesos secrets.

  • Threats Mitigated:

    • Secret Exposure (High): Reduces the risk of secrets being exposed in logs, configuration files, or through environment variables.
    • Credential Theft (High): Makes it harder for attackers to steal secrets.

  • Impact:

    • Secret Exposure: Risk significantly reduced.
    • Credential Theft: Risk significantly reduced.

  • Currently Implemented: Unknown. Depends on the specific Mesos version being used.

  • Missing Implementation: If Mesos secrets are supported, frameworks need to be updated to use them. If not supported, alternative secret management solutions (external to Mesos) must be used, and frameworks must integrate with those.