Page MenuHomePhabricator
Create Task
Maniphest T336357

Grant temporary access to web based Data Engineering tools to Bishop Fox
Closed, ResolvedPublic
Actions

Description

Grant temporary access to web based Data Engineering tools to Bishop Fox

We have retained the services of Bishop Fox to carry out a number of pentesting and other application security testing activities.

Part of their remit includes assessing the following seven web based tools that are managed by the Data-Engineering team:

In order to carry out their assessment, they will need to be provided with working login credentials for the applications (including our SSO environment).
They will not be granted production shell access, nor membership of any POSIX groups such as analytics-privatedata-users
These access tokens must be time limited to the period of engagement, which is currently: 12th of June 2023

The resources required are:

  • A Wikimedia Developer Account for each individual in the third-party organisation who requires access.
  • Membership of the nda LDAP group for each of these accounts.
  • A discrete user account in Matomo for each individual who requires access.

Contacts within WMF

The individuals within WMF who are responsible for the hybrid application assessment are:

According to the WMF-Legal team, Bishop Fox has signed an NDA equivalent to L2.

Details

SubjectRepoBranchLines +/-
Remove LDAP access for Bishop Fox contractorsoperations/puppetproduction+3 -9
Add two ldap_only users from bishopfoxoperations/puppetproduction+12 -0
Add an ldap_only user for bishopfoxoperations/puppetproduction+6 -0
Customize query in gerrit

Event Timeline

BTullis created this task.May 10 2023, 10:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 10 2023, 10:26 AM

As the WMF-Legal project tag was added to this task, some general information to avoid wrong expectations:
Please note that public tasks in Wikimedia Phabricator are in general not a place where to expect feedback from the Legal Team of the Wikimedia Foundation due to the scope of the team and/or nature of legal topics. See the project tag description.
Please see https://meta.wikimedia.org/wiki/Legal for when and how to contact the Legal Team. Thanks!

BTullis moved this task from Incoming to In Progress on the Data-Platform-SRE board.May 10 2023, 10:55 AM
BTullis added a comment.EditedMay 10 2023, 11:22 AM

I have created a Wikitech account to be used for this purpose.
Change in approach, this shared account will no longer be used.

image.png (349×1 px, 47 KB)

Wikitech username: Bishopfox
Shell username: bishopfox

BTullis updated the task description. (Show Details)May 10 2023, 11:23 AM
jbond subscribed.May 10 2023, 11:47 AM
bchoo subscribed.May 10 2023, 2:17 PM

WMF Legal reviewed the contract on file for Bishop Fox and their employees should be covered under their contract with the WMF, since they have already signed an NDA as a vendor.

BTullis updated the task description. (Show Details)May 10 2023, 3:02 PM
BTullis updated the task description. (Show Details)May 10 2023, 3:30 PM
gerritbot added a comment.May 10 2023, 3:35 PM

Change 918519 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add an ldap_only user for bishopfox

https://gerrit.wikimedia.org/r/918519

gerritbot added a project: Patch-For-Review.May 10 2023, 3:35 PM
Dzahn changed the task status from Open to In Progress.May 10 2023, 7:59 PM
Dzahn triaged this task as High priority.
Dzahn moved this task from Backlog to Manager Approval Pending on the LDAP-Access-Requests board.
Dzahn subscribed.

Not sure if a manager has to say approved on ticket for this or not. +1 to the patch but waiting for infra security to +1.

gerritbot added a comment.May 11 2023, 10:13 AM

Change 918519 abandoned by Btullis:

[operations/puppet@production] Add an ldap_only user for bishopfox

Reason:

As per guidance I will let the third-party organisation create their own accounts for each individual who needs access.

https://gerrit.wikimedia.org/r/918519

Maintenance_bot removed a project: Patch-For-Review.May 11 2023, 10:30 AM
BTullis added a subscriber: MoritzMuehlenhoff.May 11 2023, 11:27 AM

I have discussed this with @jbond and @MoritzMuehlenhoff and I can appreciate now that it would be better to request that each analyst on the Bishop Fox team who requires access should create their own Wikitech account.
This would avoid the unnecessary sharing of credentials, which would go against our own security standards.

Therefore, I have requested by email that each analyst creates their own wikitech user and someone sends me the list of names.
The Bishopfox wikitech account I created yesterday will just be dormant, since we don't have any readily available process for deleting or renaming it.

BTullis updated the task description. (Show Details)May 11 2023, 11:28 AM
BTullis added a comment.May 15 2023, 8:54 AM

I have now been provided with the following two Wikitech accounts for the two users:

  • Thomas Wilson: TwilsonBF
  • Ryan Basden: Bfrb

I'll add tracking references to these under the ldap_only section in data.yaml and then add them to the nda group in LDAP, once that is done.

gerritbot added a comment.May 15 2023, 11:16 AM

Change 919822 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Add two ldap_only users from bishopfox

https://gerrit.wikimedia.org/r/919822

gerritbot added a project: Patch-For-Review.May 15 2023, 11:16 AM
JArguello-WMF added a project: Shared-Data-Infrastructure (2022-23 Q4 Wrap up).May 15 2023, 12:49 PM
JArguello-WMF moved this task from Next Up to In Progress on the Shared-Data-Infrastructure (2022-23 Q4 Wrap up) board.
gerritbot added a comment.May 15 2023, 1:45 PM

Change 919822 merged by Btullis:

[operations/puppet@production] Add two ldap_only users from bishopfox

https://gerrit.wikimedia.org/r/919822

BTullis added a comment.May 15 2023, 1:57 PM

I have now added uid=twilsonbf and uid=ryan-bf to the nda group in LDAP.

btullis@mwmaint1002:~$ ldapsearch -x member=uid=ryan-bf,ou=people,dc=wikimedia,dc=org dn
# extended LDIF
#
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: member=uid=ryan-bf,ou=people,dc=wikimedia,dc=org
# requesting: dn 
#

# nda, groups, wikimedia.org
dn: cn=nda,ou=groups,dc=wikimedia,dc=org

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
btullis@mwmaint1002:~$ ldapsearch -x member=uid=twilsonbf,ou=people,dc=wikimedia,dc=org dn
# extended LDIF
#
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: member=uid=twilsonbf,ou=people,dc=wikimedia,dc=org
# requesting: dn 
#

# nda, groups, wikimedia.org
dn: cn=nda,ou=groups,dc=wikimedia,dc=org

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
BTullis updated the task description. (Show Details)May 15 2023, 1:58 PM
Maintenance_bot removed a project: Patch-For-Review.May 15 2023, 2:11 PM
Dzahn added a comment.May 15 2023, 5:11 PM

Here is the list of things that the nda LDAP group provides (unless the list is outdated):

https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups#NDA_group

BTullis moved this task from In Progress to Done on the Data-Platform-SRE board.May 16 2023, 8:32 AM

Thanks @Dzahn - That's a useful reference.
I've created two user accounts in Matomo for twilsonbf and ryan-bf and supplied the credentials to the users.

Now that each user has been supplied with the credentials, I will mark this ticket as done while awaiting user confirmation of access.
I've put a reference to the contract expiry date into data.yaml and I will make a note to double-check that the access has been revoked on/by the 12th of June.

BTullis updated the task description. (Show Details)May 16 2023, 10:05 AM
BTullis moved this task from Incoming (new tickets) to Security & Governance on the Data-Engineering board.May 17 2023, 8:55 AM
BTullis moved this task from In Progress to Done on the Shared-Data-Infrastructure (2022-23 Q4 Wrap up) board.
jbond closed this task as Resolved.May 22 2023, 1:13 PM

Now that each user has been supplied with the credentials, I will mark this ticket as done while awaiting user confirmation of access.

Im going to also mark this ticket as resolved to remove it from the sre clinic dash board. please re-open and update if there are further actions thanks

BTullis removed projects: WMF-Legal, Security, SRE.May 22 2023, 9:36 PM

Yep, that's great thanks @jbond. I've just had confirmation by email that both analysts now have the access that they require.

gerritbot added a comment.Jun 13 2023, 9:26 AM

Change 929645 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Remove LDAP access for Bishop Fox contractors

https://gerrit.wikimedia.org/r/929645

gerritbot added a project: Patch-For-Review.Jun 13 2023, 9:26 AM
gerritbot added a comment.Jun 13 2023, 9:34 AM

Change 929645 merged by Muehlenhoff:

[operations/puppet@production] Remove LDAP access for Bishop Fox contractors

https://gerrit.wikimedia.org/r/929645

Maintenance_bot removed a project: Patch-For-Review.Jun 13 2023, 10:10 AM
odimitrijevic added a comment.Jul 11 2023, 9:45 PM

@BTullis do the permissions need to be removed before closing the task?

BTullis added a comment.Jul 12 2023, 12:01 AM
In T336357#9007132, @odimitrijevic wrote:

@BTullis do the permissions need to be removed before closing the task?

Thanks for checking @odimitrijevic. Their access has already been revoked through this commit:
https://gerrit.wikimedia.org/r/c/operations/puppet/+/929645/

However, now you mention it there may be some accounts to remove in Matomo. I'll double check.

Peachey88 subscribed.Jul 12 2023, 3:30 AM
In T336357#8844321, @BTullis wrote:

The Bishopfox wikitech account I created yesterday will just be dormant, since we don't have any readily available process for deleting or renaming it.

If it hasn't already been actioned, That account should be blocked on wikitech wiki.

MoritzMuehlenhoff added a comment.Jul 12 2023, 6:44 AM
In T336357#9007388, @BTullis wrote:
In T336357#9007132, @odimitrijevic wrote:

@BTullis do the permissions need to be removed before closing the task?

Thanks for checking @odimitrijevic. Their access has already been revoked through this commit:
https://gerrit.wikimedia.org/r/c/operations/puppet/+/929645/

However, now you mention it there may be some accounts to remove in Matomo. I'll double check.

Access to Matomo was granted via their cn=nda LDAP membership (since Matomo is integration into the SSO provided by idp.wikimedia.org), their group memberships have been removed when I offboarded them along with https://gerrit.wikimedia.org/r/c/operations/puppet/+/929645/

BTullis added a comment.Jul 12 2023, 8:55 AM
In T336357#9007689, @MoritzMuehlenhoff wrote:
In T336357#9007388, @BTullis wrote:
In T336357#9007132, @odimitrijevic wrote:

@BTullis do the permissions need to be removed before closing the task?

Thanks for checking @odimitrijevic. Their access has already been revoked through this commit:
https://gerrit.wikimedia.org/r/c/operations/puppet/+/929645/

However, now you mention it there may be some accounts to remove in Matomo. I'll double check.

Access to Matomo was granted via their cn=nda LDAP membership (since Matomo is integration into the SSO provided by idp.wikimedia.org), their group memberships have been removed when I offboarded them along with https://gerrit.wikimedia.org/r/c/operations/puppet/+/929645/

Apologies, this was a clumsy explanation on my part. I didn't mean to infer that they still had access to Matomo. As @MoritzMuehlenhoff mentioned, their ability to access it was definitely revoked by the LDAP modification.
I was only talking about removing the MariaDB user records within Matomo, which would only be a matter of aesthetic to remove unnecessary accounts, not access control at this point.

I'll look into blocking the Wikitech account.

BTullis added a comment.Jul 13 2023, 9:12 AM
In T336357#9007551, @Peachey88 wrote:
In T336357#8844321, @BTullis wrote:

The Bishopfox wikitech account I created yesterday will just be dormant, since we don't have any readily available process for deleting or renaming it.

If it hasn't already been actioned, That account should be blocked on wikitech wiki.

I have now blocked the Bishopfox account on wikitech.

image.png (202×818 px, 25 KB)

I've also removed the two user records that I created manually in Matomo and the two auto-provisioned user records that were created in Superset.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL