Beats: [Elastic Agent] Sign elastic-agent.exe

Created on 17 Aug 2020 · 10Comments · Source: elastic/beats

The elastic-agent.exe is not code signed. Signed executables ensure the identity and integrity of software, allowing it to be trusted by User Access Control (UAC).

Ingest Management v7.11.0

Source

russcam

❤1

All 10 comments

Pinging @elastic/ingest-management (Team:Ingest Management)

elasticmachine on 17 Aug 2020

@russcam We are planning to add MSI installer for the elastic-agent, I believe only MSI artifacts of Filebeat / Metricbeat are signed.

@Conky5 am I correct?

ph on 17 Aug 2020

We are planning to add MSI installer for the elastic-agent

Great to hear! The MSI would be able to take care of configuring the Windows service, so there would be no need for the PowerShell scripts. It would still be good practice to code sign both the MSI and the elastic-agent.exe executable installed with it.

I believe only MSI artifacts of Filebeat / Metricbeat are signed.

These MSIs are signed with a SHA1 signing certificate

russcam on 18 Aug 2020

👍1

I am going to close this, because we will handle it at the MSI level and leave our the powershell scripts.

ph on 18 Aug 2020

I would like to consider having this reopened. While signing MSIs is very important and covers some use cases, failing to sign the already-installed executables causes issues for many other use cases.

One example where this is currently a problem is for application whitelisting. Many compliance frameworks requireme organizations to control which software is allowed to run. This is often accomplished through the publisher's certificate to whitelist signed software. Failing to properly sign executables (not just the installers) means that this approach fails to whitelist Elastic products. Instead, the application whitelisting software has to be provided a file hash, and this file hash has to be regenerated every single time the binary is updated. This becomes prohibitive. Other approaches, such as whitelisting by filepath, are not as secure.

Given that Elastic is a security-focused company, I don't see how failing to sign installed binaries makes business sense. Unsigned software should be avoided for security reasons and causes headaches for compliance.

michaelmagyar on 31 Aug 2020

👍1

@michaelmagyar Good poing on everything you said. We want to have them signed, it was track in another issue. I will keep this public issue open to track the effort

ph on 31 Aug 2020

👍1

@michalpristas Does the elastic-agent.exec binaries are signed?

ph on 14 Oct 2020

removed mention of powershell scripts and only keep the elastic-agent.exec.

ph on 29 Oct 2020

Given that Elastic is a security-focused company, I don't see how failing to sign installed binaries makes business sense. Unsigned software should be avoided for security reasons and causes headaches for compliance.

Except for endpoint-security.exe and elastic-endpoint.exe, none of the official beats, nor elastic-agent.exe is signed.. Please sign at least:

auditbeat.exe
filebeat.exe
metricbeat.exe
packetbeat.exe
winlogbeat.exe
elastic-agent.exe

Thanks

willemdh on 2 Jan 2021

@willemdh they will be signed in the next release.

ph on 4 Jan 2021

❤1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Improvements To Beats/Logstash "ACK" Protocol Including Covering Load Balancing and Log Messaging

MorrieAtElastic · 3Comments

Journalbeat sends duplicate log entries on restart

kemra102 · 3Comments

[Filebeat] Kubernetes metadata fields not expanded in rollover_alias and policy_name

TomaszKlosinski · 3Comments

Reduce memory usage of elasticsearch/index metricset

ycombinator · 3Comments

[Winlogbeat] [Sysmon] dns.resolved_ip - not an IP string literal