Rudder

No relay¶

When there are no relay servers we can:

• Remove trustkey from copy_from bodies in initial and generated policies
• Empty trustkeysfrom on non policy server nodes
• => These ensure bootstrap policies are the only place we allow nodes to establish trust with their server. Once bootstrapped (and if not reset) the node will only trust its server.

• Replace IP-based remote-run acl by an admit_key with policy server's key hash. This limits remote-run from unauthorized sources, which is important is it can pass conditions that can modify the agent's behaviour.
• Document how to secure provisioning by removing trustkeysfrom in bootstrap policies in https://docs.rudder.io/reference/6.1/administration/security.html#_provisioning_an_agent_with_pre_established_trust

The key point is that root server do not download policies from a server but executes them locally, and only accepts remote-run from local addresses. This makes it immune to the described attack which only affect nodes and relays.

With this:

• We have TOFU back by default
• We allow secured bootstrapping

With relays¶

We need all from previous section, but it's trickier as we need the relay to allow connections from managed nodes and to download policies from a remote server

Idea¶

Add an admit_key for policy update (could be global to the agent for all connections with a copyfrom_restrict_keys => { ... } in body agent control, cannot be admit_keys as we can't provide a meaningful default value). This makes the security model really simple, but is some work, and may not be upstreamed.

This bug has been fixed in Rudder 5.0.20, 6.0.10, 6.1.6, 6.2.0~beta1 which were released by the end of October 2020.

• 5.0.20 changelog
• 6.0.10
• 6.1.6
• 6.2.0~beta1
• Upgrade manual