What Bigfix can offer in terms of certificate discovery?

dominikj 2020-06-16 07:53:15 UTC #1

What can Bigfix offer in terms of certificate discovery, inventory details etc.
We’re looking at how we can find certs out in the environment, what CA they were issued by and when they expire. Is there any module function that have this out of the box in BigFIx Platform or BigFix Inventory?

Any and all help is appreciated.

JonL 2020-06-16 19:14:40 UTC #2

@dominikj, that is a tricky question although one we have attempted at our organization. It is reasonably easy to discover what is in Windows machine cert store via certutil or powershell. Results from those outputs can be written to logs and parsed with an analysis.

Things get more difficult from there. A lot of it depends on how homogeneous your environment is. We have a bit of everything, so it is challenging. Discovering and reporting on Java trust and cert stores, whether on Windows or *nix is harder, but can be done if you know where they are located and what the passwords are for them. Java’s Keytool has syntax for that.

Sample line:
keytool.exe -list -v -keystore path\IdentityStore.jks -storepass yourpasswordhere > path\file.log

We have conventions for our Java paths, names, and passwords to make it easier to manage thousands of them. Those keytool logs can then also be consumed in an analysis to lift out the items of interest.

These steps work well in a very structured homogeneous environment.

Another approach, which we also use, is to interrogate common secure ports such as 443, 8443, etc by running a script with something like curl, wget, or powershell. This works ok for known and common ports. I’ve run into several odd secure ports in our own environment that don’t fit the mold. Ports like 17004. You’ll have to partner with apps teams to discover those.

jgstew 2020-06-16 19:38:19 UTC #3

You can sort of directly interrogate this information using relevance to inspect the registry for this info, but it is kind of painful. There is a new inspector that might help but I haven’t had a chance to try it: pem encoded certificate string of <string>: x509 certificate

This gives the raw blobs of what should be all certs:

values "Blob" of keys of keys "Certificates" of keys of keys "SOFTWARE\Microsoft\SystemCertificates" of (keys "HKEY_LOCAL_MACHINE" of it; keys of keys "HKEY_USERS" of it) of (x64 registries; x32 registries)

Examples:

JonL 2020-06-16 19:56:24 UTC #4

The best cert inventories I’ve seen are either with Strawgate or my colleague’s powershell based scripts.

Existing inspectors have limited utility. It would be great to see an enhanced cert inspector that could better pull out the many details of modern certs. It would be useful for both Windows and Java cert stores. It should be on the level of detail that certutil, powershell, and/or keytool offers.