curiousecurity

Yet another blog about info & networking security this and that… Buzzword… Catchphrase…

  • Posts
  • About
  • Career
  • Education
  • Contact
  • LinkedIn
  • GitHub
  • Email
You are here: Home / Howto Article / FireEye Role Based Access Control (RBAC)

FireEye Role Based Access Control (RBAC)

April 16, 2014 by ryanhorst 7 Comments

Regarding role based access control and Active Directory integration with FireEye back in FEOS versions 7.0.x (webmps), 6.3.2 (emailmps) and 6.4.1 (CMS), we only had the ability to map a single Active Directory group to a single FireEye “role”. And most enterprises would probably have mapped that single group to the Admin role. Well…..

Fast >> Forward >> to FEOS 7.1 “Shasta” where FireEye has merged the various code revisions for web/email/CMS into one single version, and we are finally provided with the tools under the hood to map multiple Active Directory groups to their respective roles (Admin, Monitor, Analyst, Audit, etc…). Huzzah, and thank you to FireEye for finally providing this, FINALLY. Moving on…

So from previous integrations, we were using the below FireEye/AD configs:

FEOS 7.0.x LDAP / AAA Config
 FireEye-WebMPS-1(config) # ldap base-dn DC=ACME,DC=com
 FireEye-WebMPS-1(config) # ldap bind-dn "CN=FireEye-Auth-User,OU=Service Acct,OU=Admin Service,DC=ACME,DC=com"
 FireEye-WebMPS-1(config) # ldap bind-password ***************
 FireEye-WebMPS-1(config) # ldap group-attribute member
 FireEye-WebMPS-1(config) # ldap group-dn "CN=FireEye-Admin-Group,OU=Global,OU=Domains,DC=ACME,DC=com"
 FireEye-WebMPS-1(config) # ldap host ACME.com
 FireEye-WebMPS-1(config) # ldap login-attribute sAMAccountName
 FireEye-WebMPS-1(config) # ldap port 389
 FireEye-WebMPS-1(config) # ldap referrals
 FireEye-WebMPS-1(config) # ldap scope subtree
 FireEye-WebMPS-1(config) # aaa authentication login default local ldap
 FireEye-WebMPS-1(config) # aaa authorization map default-user admin
 FireEye-WebMPS-1(config) # wr mem
 Saving configuration file ... Done!

In FEOS 7.0.x, without RBAC (Role Based Access Control), the FireEye devices relied on the LDAP configs we set to force the group required for access. In FEOS 7.1 “Shasta”, using AAA rules is the preferred method for mapping AD groups to roles, with the AAA service using the LDAP service to do the look-ups. At this point I am assuming that you have created all the necessary AD/LDAP groups that you plan to use on your FireEye – here is a snippet from the FireEye Operators Guide for 7.1:

Admin
 The system administrator is a "super user" who has all capabilities except those that allow access to the FireEye Web services API. 
 The primary function of this role is to configure the system. 
 NOTE: You must be logged in with the admin role to view and access the FireEye appliance settings. 

Monitor
 The system monitor has read-only access to some things the admin role can change or configure.

Operator
 The system operator has a subset of the capabilities associated with the admin role. Its primary function is configuring and monitoring the system.

Analyst
 The system analyst focuses on the detection of malware and taking appropriate action, including setting up alerts and reports.

Auditor
 The system auditor reviews audit logs and performs forensic analysis to trace how events occurred.

Lets start configuring our AAA settings shall we? We will start by building the mapping rules for AAA in the FireEye. One thing to note here is that the rules read from lowest number to highest number, so you will want rules providing less access at the top (least access to most access is: Audit –> Analyst –> Operator –> Monitor –> Admin).

aaa authorization rules rule set 1 match-ldap-group "CN=FireEye-Audit,OU=Global,OU=Domainss,DC=Company-X,DC=com" map-local-user audit
 aaa authorization rules rule set 2 match-ldap-group "CN=FireEye-Analyst,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user analyst
 aaa authorization rules rule set 3 match-ldap-group "CN=FireEye-Operator,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user operator
 aaa authorization rules rule set 4 match-ldap-group "CN=FireEye-Monitor,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user monitor 
 aaa authorization rules rule set 5 match-ldap-group "CN=FireEye-Admin,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user admin

FireEye-WebMPS-1 (config) # sh aaa authorization rules 
 ------------------------------------------------ 
 #         AAA Authorization Rules : Enabled 
 ------------------------------------------------ 
 # Rule          Statements      
 ------------------------------------------------ 

# 1
      Match LDAP Group               : CN=GG-FireEye-Audit,OU=Global,OU=Domains,DC=ACME,DC=com
      -->Action Map Local User    : audit

# 2
      Match LDAP Group               : CN=GG-FireEye-Analyst,OU=Global,OU=Domains,DC=ACME,DC=com
       -->Action Map Local User    : analyst

# 3
      Match LDAP Group               : CN=GG-FireEye-Operator,OU=Global,OU=Domains,DC=ACME,DC=com
       -->Action Map Local User    : operator

# 4
      Match LDAP Group               : CN=GG-FireEye-Monitor,OU=Global,OU=Domains,DC=ACME,DC=com
       -->Action Map Local User    : monitor

# 5
      Match LDAP Group               : CN=GG-FireEye-Admin,OU=Global,OU=Domains,DC=ACME,DC=com
       -->Action Map Local User    : admin

# 6
      Match Auth Methods           : remote
       -->Action Map Local User    : deny-access
      
FireEye-WebMPS-1 (config) #

UPDATE:
FireEye does not have a ‘deny all’ authentication policy, so you must explicitly put the deny in!!!
Rule #6 above is required to ensure that you are denying access to anyone that is NOT in the specified groups!!!

Now you will need to enable each local user that you plan to use and assign it a password (please use secure passwords guys…). Once you have the AAA mappings and the local role users are enabled with secure passwords, the last thing you need to do is to remove the FireEye LDAP configuration line for the group-dn, so that the LDAP service is no longer the service controlling the mapping.

Here is what things look like before the group-dn is removed:

FireEye-WebMPS-1> ena
 FireEye-WebMPS-1 # sh ldap
 User base DN      : DC=ACME,DC=com
 User search scope : subtree
 Login attribute   : sAMAccountName
 Bind DN                   : CN=FireEye-Auth-User,OU=Service account,DC=ACME,DC=com
 Bind password     : ********
 Group base DN     : CN=FireEye-Admin-Group,OU=Global,DC=ACME,DC=com
 Group attribute   : member
 LDAP version      : 3
 Referrals         : yes
 Server port       : 389
 Search Timeout    : 5
 Bind Timeout      : 5
 SSL mode          : none
 Server SSL port   : 636 (not active)
 SSL cert verify   : yes
 SSL ca-list       : default-ca-list

LDAP servers:
   1: ACME.com
 FireEye-WebMPS-1 #

Here is what things look like after the group-dn is removed:

FireEye-WebMPS-1> ena
 FireEye-WebMPS-1 # sh ldap
 User base DN      : DC=ACME,DC=com
 User search scope : subtree
 Login attribute   : sAMAccountName
 Bind DN                   : CN=FireEye-Auth-User,OU=Service account,DC=ACME,DC=com
 Bind password     : ********
 Group base DN     : 
 Group attribute   : member
 LDAP version      : 3
 Referrals         : yes
 Server port       : 389
 Search Timeout    : 5
 Bind Timeout      : 5
 SSL mode          : none
 Server SSL port   : 636 (not active)
 SSL cert verify   : yes
 SSL ca-list       : default-ca-list

LDAP servers:
   1: ACME.com
 FireEye-WebMPS-1 #

DONE – WOOHOO!
If you followed this guide you should have a FireEye RBAC functioning with users from each group now mapped to their respective groups in FireEye with that groups’ specified access level.

If you had issues, please drop me a line and I will see what I can do to help.

Thanks for stopping by!

Related

Filed Under: Howto Article, Linux, Network Security, Threat Protecton and Prevention Tagged With: Active Directory, FireEye, LDAP, RBAC

Comments

  1. Subhash says

    June 28, 2016 at 1:33 pm

    Hello,

    I just would like to know if FireEye has the integration capability in-built to integrate Active Directory with it ? All of them HX, NX, MPS, AX etc ?

    Meaning if my AD name is Subhash can I login to FireEye console with my AD username ( if integration is done) and RBAC is enabled ?

    Reply
  2. Subhash says

    June 28, 2016 at 3:33 pm

    I just would like to know if FireEye has the integration capability in-built to integrate Active Directory with it ? All of them HX, NX, MPS, AX etc ?

    Meaning if my AD name is Subhash can I login to FireEye console with my AD username ( if integration is done) and RBAC is enabled ?

    Reply
  3. ryanhorst says

    June 28, 2016 at 4:09 pm

    Hello Subash,

    Yes, FireEye has native LDAP integration capability, and can be enabled by following the instructions in this post.

    You can also find some LDAP integration information on the FireEye customer portal at the link below, which actually references unattributed information from my website:

    https://community.fireeye.com/message/2096#2096

    Here is another link if you need more information (you shouldn’t need anything more than this blog post really)

    https://community.fireeye.com/servlet/JiveServlet/download/2109-5567/FireEye%20Active%20Directory%20Authentication%20Setup.docx

    Hope that helps,
    Ryan

    Reply
  4. Gage says

    August 29, 2016 at 3:14 pm

    Can you add multiple Group base DN attributes?

    Reply
    • ryanhorst says

      August 29, 2016 at 3:19 pm

      I know you can utilize multiple groups in the same base DN, but I have not had a need to use multiple base DN’s. You may need to dig into the FireEye documentation as well as looking at the online community to see what others have done.

      /ryan

      Reply
  5. Dan says

    February 10, 2018 at 1:18 am

    What’s the command to add Rule #6 ?

    Reply
    • ryanhorst says

      February 10, 2018 at 1:32 am

      Hi Dan,

      The command I used for the above config was:

      aaa authorization rules rule set 6 match-auth-method remote map-local-user deny-access

      This will act as a catch-all rule that will map the unprivileged LDAP user to a non-existent account named deny-access, basically blackholing the user.

      Hope that helps!
      Ryan

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *