Skip to content

Commit

Permalink
Update tutorials (step-security#161)
Browse files Browse the repository at this point in the history
  • Loading branch information
@varunsh-coder
varunsh-coder authored Oct 8, 2023
1 parent e4e2fc2 commit 8a31825
Show file tree
Hide file tree
Showing 11 changed files with 48 additions and 27 deletions.
11 changes: 3 additions & 8 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,6 @@ GitHub Actions Goat not only demonstrates vulnerabilities but also presents solu
| --- | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 1. | Lack of Network Traffic Filtering can lead to Exfiltration of source code and CI/CD Credentials | [GitHub Actions Runtime Security - Filter Egress Network Traffic](docs/Solutions/RestrictOutboundTraffic.md) | ["Implement network segmentation and traffic filtering" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 2. | Lack of CI/CD Runtime Security can lead to Tampering of Source Code or Artifacts during Build | [GitHub Actions Runtime Security - Detect File Tampering](docs/Solutions/MonitorSourceCode.md) | ["Implement endpoint detection and response (EDR) tools" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 3. | Lack of Detailed Audit Logs for CI/CD Activities | [Trace deployments to CI/CD pipeline and commit](docs/Solutions/Provenance.md) | ["Keep audit logs" section in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 4. | Overprivileged GITHUB_TOKEN Permissions can lead to tampering of repository contents or container images | [Update workflows to use least privileged GITHUB_TOKEN permissions](docs/Solutions/FixGITHUB_TOKENPermissions.md) | ["Use credentials that are minimally scoped" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets) |
| 5. | Use of Long-Term CI/CD Credentials | 1. [Audit and rotate registered secrets](docs/Solutions/AuditGitHubActionsSecrets.md) <br/> 2. [Use OpenID Connect (OIDC) in GitHub Actions workflows](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-openid-connect-to-access-cloud-resources) | 1. ["Audit and rotate secrets" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets) <br/>2. ["Using OpenID Connect to access cloud resources" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-openid-connect-to-access-cloud-resources) <br/>3. ["Minimize the use of long-term credentials" in CISA/NSA document](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 6. | Use of Untrusted 3rd Party GitHub Actions | 1. [Review GitHub Actions used across your Organization](docs/Solutions/ReviewGitHubActions.md) <br/> 2. [Pin actions to a full length commit SHA](docs/Solutions/PinGitHubActions.md) | 1. ["Using 3rd party Actions" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) <br/>2. ["Restrict untrusted libraries and tools" section in CISA/NSA document](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 7. | Outdated GitHub Actions with Known Vulnerabilities | [Configure Dependabot to keep Actions up to date](docs/Solutions/Dependabot.md) | 1. ["Using Dependabot version updates to keep Actions up to date" from GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-dependabot-version-updates-to-keep-actions-up-to-date) <br/>2. ["Keep CI/CD tools up-to-date" in CISA/NSA document](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 8. | Absence of Security Scanning within the CI/CD Pipeline | [Integrate security scanning as part of the CI/CD pipeline](docs/Solutions/IntegrateSecurity.md) | ["Integrate security scanning as part of the CI/CD pipeline" section of the CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 9. | Secrets Stored as Plaintext in Workflow Files | Scan for Secrets in Workflow Files | 1. ["Using Secrets" section in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets) <br/>2. ["Secure secrets" section in CISA/NSA document](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 10. | Secrets Logged in the Build Logs | Scan for Secrets in Build Logs | 1. ["Using Secrets" section in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets) <br/>2. ["Secure secrets" section in CISA/NSA document](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 3. | Lack of Detailed Audit Logs for CI/CD Activities | [Forensically Reconstruct An Incident Post-Compromise](docs/Solutions/ForensicAnalysis.md) | ["Keep audit logs" section in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 4. | Use of Long-Term CI/CD Credentials | [Audit and rotate registered secrets](docs/Solutions/AuditGitHubActionsSecrets.md) | 1. ["Audit and rotate secrets" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets) <br/>2. ["Using OpenID Connect to access cloud resources" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-openid-connect-to-access-cloud-resources) <br/>3. ["Minimize the use of long-term credentials" in CISA/NSA document](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
| 5. | Use of Untrusted 3rd Party GitHub Actions | [Review GitHub Actions used across your Organization](docs/Solutions/ReviewGitHubActions.md) | 1. ["Using 3rd party Actions" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) <br/>2. ["Restrict untrusted libraries and tools" section in CISA/NSA document](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF) |
8 changes: 6 additions & 2 deletions docs/Solutions/AuditGitHubActionsSecrets.md
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,19 @@
# Audit and Rotate GitHub Actions Secrets

> ["Minimize the use of long-term credentials" in CISA/NSA document](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF): For software-to-software authentication, avoid using software-based long-term credentials as much as possible.
[🔙 Go back to the list of tutorials](../../README.md#vulnerabilities-and-countermeasures)

## Tutorial

In this tutorial you will use the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to view the list of all your GitHub Actions Secret names and `Days Since Last Rotated`. This will help you understsand which secrets should be rotated.

1. Add a GitHub Actions secret to your repository. Under your repository name, click Settings. In the "Security" section of the sidebar, select Secrets and variables, then click Actions. Click the Secrets tab. Click New repository secret and add a secret. You can add any name and value.
1. Add a GitHub Actions secret to your repository. Under your repository name, click Settings. In the `Security` section of the sidebar, select ` Secrets and variables``, then click `Actions`` . Click the `Secrets `` tab. Click `New repository secret`` and add a secret. You can add any name and value.

2. Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) on your repository. You will get an email with a link to your dashboard.

3. Then go to the `Actions Secrets` tab in the dashboard. Here you will be able to view the secret name along with `Days Since Last Rotated`. Since this is a new secret, that value will be 0. You can try on your own repository where you had created secrets on an earlier date.

<img src="../../images/ActionsSecrets.png" alt="Link to security insights" width="800">
<img src="../../images/ActionsSecrets2.png" alt="Link to security insights" width="800">

> The App only needs `actions: read` and `secrets metadata: read` permissions on your repositories. `secrets metadata: read` permission only gives access to the list of GitHub Actions secret names (and not to the actual secret).
23 changes: 23 additions & 0 deletions docs/Solutions/ForensicAnalysis.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Forensically Reconstruct An Incident Post-Compromise

> **["Keep audit logs" section in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF)**: An audit log should provide clear information on who committed, reviewed, and deployed what, when, and where. If all previous measures fail, an audit log will at least help **forensically reconstruct an incident post-compromise**, so it can be quickly addressed
[🔙 Go back to the list of tutorials](../../README.md#vulnerabilities-and-countermeasures)

## Tutorial

In this tutorial, you will simulate an attack scenario, in which an attacker runs a workflow to exfiltrate CI/CD Secrets and then deletes the workflow run to remove evidence of the run.

This can happen if a developer's credentials or a Personal Access Token (PAT) has been compromised, and then used to exfiltrate CI/CD Secrets.

You will then locate the record for the worflow run in the StepSecurity dashboard and use it for forensic analysis.

1. Go to the `Actions` tab and run the `Hosted: Network Monitoring with Harden-Runner` workflow. This is similar to an attacker with `write` access to the repository creating and running a workflow.

2. Now do to the workflow run, click on the `...` next to it, and click on `Delete workflow run`. Now there is no evidence that this workflow ran.

3. Now, to conduct forensic analysis, go to the `StepSecurity Dashboard` and click on the `Runtime Security` tab.

4. You should see a record for the workflow run and can click on it to view the outbound calls made during the run, and what process made the call.

5. This is important forensic information that can help confirm the incident, and identify the step and the process that exfiltrated secrets. It can also be used to understand who ran the workflow to identify whose credentials have been compromised.
4 changes: 4 additions & 0 deletions docs/Solutions/MonitorSourceCode.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

> For examples of real-world incidents in which files have been tampered during the build and release process in CI/CD pipelines, refer to [Tampering of source code or artifacts during build](../Vulnerabilities/TamperingDuringBuild.md)
> **["Implement endpoint detection and response (EDR) tools" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF)**: EDR tools provide a high degree of visibility into the security status of endpoints and can help effectively protect against MCAs.
[🔙 Go back to the list of tutorials](../../README.md#vulnerabilities-and-countermeasures)

## Tutorials

1. [Detect File Tampering (GitHub-Hosted Runner)](#detect-file-tampering-github-hosted-runner)
Expand Down
15 changes: 0 additions & 15 deletions docs/Solutions/Provenance.md
View file

This file was deleted.

4 changes: 4 additions & 0 deletions docs/Solutions/RestrictOutboundTraffic.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

> For examples of real-world incidents in which credentials have been exfiltrated from CI/CD pipelines, refer to [Exfiltration of secrets from the CI/ CD pipeline](../Vulnerabilities/ExfiltratingCICDSecrets.md)
> **["Implement network segmentation and traffic filtering" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF)**: Implement and ensure robust network segmentation between networks and functions to reduce the spread of malware and limit access from other parts of the network that do not need access.
[🔙 Go back to the list of tutorials](../../README.md#vulnerabilities-and-countermeasures)

## Tutorials

1. [Filter Network Traffic (GitHub-hosted Runner)](#filter-network-traffic-github-hosted-runner)
Expand Down
Loading

0 comments on commit 8a31825

Please sign in to comment.