FireEye Role Based Access Control (RBAC)

Regarding Active Directory integration with FireEye back in FEOS versions 7.0.x (webmps), 6.3.2 (emailmps) and 6.4.1 (CMS), we only had the ability to map a dingle Active Directory group to a single FireEye “role”. And most enterprises would probably have mapped that single group to the Admin role. Well…..

Fast >> Forward >> to FEOS 7.1 “Shasta” where FireEye has merged the various code revisions for web/email/CMS into one single version, and we are finally provided with the tools under the hood to map multiple Active Directory groups to their respective roles (Admin, Monitor, Analyst, Audit, etc…). Huzzah, and thank you to FireEye for finally providing this, FINALLY. Moving on…

So from previous integrations, we were using the below FireEye/AD configs:

FEOS 7.0.x LDAP / AAA Config
 FireEye-WebMPS-1(config) # ldap base-dn DC=ACME,DC=com
 FireEye-WebMPS-1(config) # ldap bind-dn "CN=FireEye-Auth-User,OU=Service Acct,OU=Admin Service,DC=ACME,DC=com"
 FireEye-WebMPS-1(config) # ldap bind-password ***************
 FireEye-WebMPS-1(config) # ldap group-attribute member
 FireEye-WebMPS-1(config) # ldap group-dn "CN=FireEye-Admin-Group,OU=Global,OU=Domains,DC=ACME,DC=com"
 FireEye-WebMPS-1(config) # ldap host ACME.com
 FireEye-WebMPS-1(config) # ldap login-attribute sAMAccountName
 FireEye-WebMPS-1(config) # ldap port 389
 FireEye-WebMPS-1(config) # ldap referrals
 FireEye-WebMPS-1(config) # ldap scope subtree
 FireEye-WebMPS-1(config) # aaa authentication login default local ldap
 FireEye-WebMPS-1(config) # aaa authorization map default-user admin
 FireEye-WebMPS-1(config) # wr mem
 Saving configuration file ... Done!

In FEOS 7.0.x, without RBAC (Role Based Access Control), the FireEye devices relied on the LDAP configs we set to force the group required for access. In FEOS 7.1 “Shasta”, using AAA rules is the preferred method for mapping AD groups to roles, with the AAA service using the LDAP service to do the look-ups. At this point I am assuming that you have created all the necessary AD/LDAP groups that you plan to use on your FireEye – here is a snippet from the FireEye Operators Guide for 7.1:

Admin
 The system administrator is a "super user" who has all capabilities except those that allow access to the FireEye Web services API. 
 The primary function of this role is to configure the system. 
 NOTE: You must be logged in with the admin role to view and access the FireEye appliance settings. 

Monitor
 The system monitor has read-only access to some things the admin role can change or configure.

Operator
 The system operator has a subset of the capabilities associated with the admin role. Its primary function is configuring and monitoring the system.

Analyst
 The system analyst focuses on the detection of malware and taking appropriate action, including setting up alerts and reports.

Auditor
 The system auditor reviews audit logs and performs forensic analysis to trace how events occurred.

Lets start configuring our AAA settings shall we? We will start by building the mapping rules for AAA in the FireEye. One thing to note here is that the rules read from lowest number to highest number, so you will want rules providing less access at the top (least access to most access is: Audit –> Analyst –> Operator –> Monitor –> Admin).

aaa authorization rules rule set 1 match-ldap-group "CN=FireEye-Audit,OU=Global,OU=Domainss,DC=Company-X,DC=com" map-local-user audit
 aaa authorization rules rule set 2 match-ldap-group "CN=FireEye-Analyst,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user analyst
 aaa authorization rules rule set 3 match-ldap-group "CN=FireEye-Operator,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user operator
 aaa authorization rules rule set 4 match-ldap-group "CN=FireEye-Monitor,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user monitor 
 aaa authorization rules rule set 5 match-ldap-group "CN=FireEye-Admin,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user admin

FireEye-WebMPS-1 (config) # sh aaa authorization rules 
 ------------------------------------------------ 
 #         AAA Authorization Rules : Enabled 
 ------------------------------------------------ 
 # Rule          Statements      
 ------------------------------------------------ 

# 1
      Match LDAP Group               : CN=GG-FireEye-Audit,OU=Global,OU=Domains,DC=ACME,DC=com
      -->Action Map Local User    : audit

# 2
      Match LDAP Group               : CN=GG-FireEye-Analyst,OU=Global,OU=Domains,DC=ACME,DC=com
       -->Action Map Local User    : analyst

# 3
      Match LDAP Group               : CN=GG-FireEye-Operator,OU=Global,OU=Domains,DC=ACME,DC=com
       -->Action Map Local User    : operator

# 4
      Match LDAP Group               : CN=GG-FireEye-Monitor,OU=Global,OU=Domains,DC=ACME,DC=com
       -->Action Map Local User    : monitor

# 5
      Match LDAP Group               : CN=GG-FireEye-Admin,OU=Global,OU=Domains,DC=ACME,DC=com
       -->Action Map Local User    : admin

# 6
      Match Auth Methods           : remote
       -->Action Map Local User    : deny-access
      
FireEye-WebMPS-1 (config) #

UPDATE:
FireEye does not have a ‘deny all’ authentication policy, so you must explicitly put the deny in!!!
Rule #6 above is required to ensure that you are denying access to anyone that is NOT in the specified groups!!!

Now you will need to enable each local user that you plan to use and assign it a password (please use secure passwords guys…). Once you have the AAA mappings and the local role users are enabled with secure passwords, the last thing you need to do is to remove the FireEye LDAP configuration line for the group-dn, so that the LDAP service is no longer the service controlling the mapping.

Here is what things look like before the group-dn is removed:

FireEye-WebMPS-1> ena
 FireEye-WebMPS-1 # sh ldap
 User base DN      : DC=ACME,DC=com
 User search scope : subtree
 Login attribute   : sAMAccountName
 Bind DN                   : CN=FireEye-Auth-User,OU=Service account,DC=ACME,DC=com
 Bind password     : ********
 Group base DN     : CN=FireEye-Admin-Group,OU=Global,DC=ACME,DC=com
 Group attribute   : member
 LDAP version      : 3
 Referrals         : yes
 Server port       : 389
 Search Timeout    : 5
 Bind Timeout      : 5
 SSL mode          : none
 Server SSL port   : 636 (not active)
 SSL cert verify   : yes
 SSL ca-list       : default-ca-list

LDAP servers:
   1: ACME.com
 FireEye-WebMPS-1 #

Here is what things look like after the group-dn is removed:

FireEye-WebMPS-1> ena
 FireEye-WebMPS-1 # sh ldap
 User base DN      : DC=ACME,DC=com
 User search scope : subtree
 Login attribute   : sAMAccountName
 Bind DN                   : CN=FireEye-Auth-User,OU=Service account,DC=ACME,DC=com
 Bind password     : ********
 Group base DN     : 
 Group attribute   : member
 LDAP version      : 3
 Referrals         : yes
 Server port       : 389
 Search Timeout    : 5
 Bind Timeout      : 5
 SSL mode          : none
 Server SSL port   : 636 (not active)
 SSL cert verify   : yes
 SSL ca-list       : default-ca-list

LDAP servers:
   1: ACME.com
 FireEye-WebMPS-1 #

DONE – WOOHOO!
If you followed this guide you should have a FireEye RBAC functioning with users from each group now mapped to their respective groups in FireEye with that groups’ specified access level.

If you had issues, please drop me a line and I will see what I can do to help.

Thanks for stopping by!