What is Changing?
In the week of March 12th, 2019 Sumo Logic released a change to the behavior of the Script Sources and Script Action feature of our Installed Collector. This change addresses a security concern regarding the Collector’s default “opt-out” model for executing Script Sources and Script Actions.
By default, the current Sumo Logic Installed Collector executes Script Sources and Script Actions automatically, upon installation. This behavior will change for all Installed Collectors released after March 12th, 2019. Going forward, the Installed Collector will not execute scripts unless the "opt-in" flag is set in either the Collector’s user.properties configuration file or as a parameter in the command line installer. This effectively adds one additional configuration step the user must take before the Installed Collector executes Script Sources or Actions.
With the Collectors releases after March 12th, 2019 the following new installation and configuration parameters will be introduced.
Command Line:
| Parameter | Description | Default Value |
| -VenableScriptSource=[true/false] | If your organization's internal policies restrict the use of scripts, you can disable the running of script-based Sources. When this parameter is passed, Script Source will not execute on this Collector. | False |
| -VenableActionSource=[true/false] | If your organization's internal policies restrict the use of script actions, you can disable the creation of script-based Action Sources. When this parameter is passed, Action Source will not execute on this Collector. | False |
user.properties
Note: for Collectors that have already been installed and registered a restart of the Collector will be required to apply the configuration change.
| Parameter | Description | Default Value |
| enableActionSource=[true/false] | If your organization's internal policies restrict the use of script actions, you can disable the creation of script-based action sources. When this parameter is passed, action sources will not execute on this collector. | False |
| enableScriptSource=[true/false] | If your organization's internal policies restrict the use of scripts, you can disable the running of script-based sources. When this parameter is passed, script source will not execute on this collector. | False |
Who does this affect?
The switch to the opt-in behavior will not change the behavior of currently deployed Installed Collectors. However, on March 12th, 2019, users who automate the deployment of new Installed Collectors will need to update their automation scripts to set the new opt-in flag in the user.properties file, or command line parameter, if they are also deploying Script Sources or Script Actions.
For Collectors released prior to March 12th, 2019 you may currently use the following existing parameters to disable the running of script sources or script actions within your Collector by setting the value to True.
Command Line:
| Parameter | Description | Default Value |
| -VdisableScriptSource=[true/false] | If your organization's internal policies restrict the use of scripts, you can disable the running of script-based Sources. When this parameter is passed, Script Source will not execute on this Collector. | False |
| -VdisableActionSource=[true/false] | If your organization's internal policies restrict the use of script actions, you can disable the creation of script-based Action Sources. When this parameter is passed, Action Source will not execute on this Collector. | False |
user.properties
Note: for Collectors that have already been installed and registered a restart of the Collector will be required to apply the configuration change.
| Parameter | Description | Default Value |
| disableActionSource=[true/false] | If your organization's internal policies restrict the use of script actions, you can disable the creation of script-based action sources. When this parameter is passed, action sources will not execute on this collector. | False |
| disableScriptSource=[true/false] | If your organization's internal policies restrict the use of scripts, you can disable the running of script-based sources. When this parameter is passed, script source will not execute on this collector. | False |
What Security Vulnerabilities are being addressed?
Script Sources allow users to write and execute scripts which are executed by installed collectors in order to collect data from custom sources other than log files. Similarly, Script Actions enable users to pass the results of a saved search to an Installed Collector, where it is temporarily saved to the filesystem.
Users may write these scripts from the Sumo Logic UI where they will be sent to the Collector and executed on the machine on which the collector is running. While only authenticated users with the Manage Collectors role can write and deploy these scripts, these same Sumo users may also be running the Installed Collector as a highly privileged local user such as root. Scripts passed to the Installed Collector would then execute as the user the collector is running as.
Users may already disable the automatic execution of Script Sources and Script Actions by setting the disableScriptSource or disableScriptAction properties, or with the VdisableScriptSource or VdisableScriptAction parameters in the command line installer. However, this is an opt-out model. Collectors released after March 12th 2019 will then follow an opt-in model for executing scripts.
Users of the Installed Collector may opt-in to script execution by setting the enableScriptSource or enableActionSource properties to true in the user.properties file, collector.properties file, or with the VenableScriptSource and VenableActionSource parameters in the command line installer.
Comments
0 comments
Please sign in to leave a comment.