Teleport SIEM Integration
The teleport-plugin-event-handler is used for handling Teleport audit events and sending them to a Fluentd instance,
so such events can be further shipped to other systems (i.e. SIEM) for security and auditing purposes.
Read more about exporting Teleport audit events here. See this guide and
this one for further instructions.
- This plugin is installed using teleport-plugin-event-handler Helm chart (see here).
- The following roles and user are created via the
teleport-bootstrap chart.
- Role
event-handler-events-sessions-viewer - Role
bot-event-handler-bot - Bot
event-handler-bot - Join token
event-handler-bot-token
- Role
Configuring mTLS Communication
Section titled “Configuring mTLS Communication”The teleport-plugin-event-handler requires Mutual TLS connection be enabled on fluentd instance for security purposes.
The certificate authority, server key and certificate, and client key and certificate are stored in Vault at
k8s/ops-gitlab-gke/teleport-cluster-staging/fluentd-certs and k8s/ops-central/teleport-cluster-production/fluentd-certs.
For renewing the certificates, create the following files in a directory.
openssl.conf
[req]default_bits = 4096distinguished_name = req_distinguished_namestring_mask = utf8onlydefault_md = sha256x509_extensions = v3_ca
[req_distinguished_name]countryName = Country Name (2 letter code)stateOrProvinceName = State or Province NamelocalityName = Locality Name0.organizationName = Organization NameorganizationalUnitName = Organizational Unit NamecommonName = Common NameemailAddress = Email Address
countryName_default =stateOrProvinceName_default =localityName_default =0.organizationName_default = GitLab Inc.organizationalUnitName_default = TeleportcommonName_default = localhostemailAddress_default =
[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuerbasicConstraints = critical, CA:true, pathlen: 0keyUsage = critical, cRLSign, keyCertSign
[client_cert]basicConstraints = CA:FALSEnsCertType = client, emailnsComment = "OpenSSL Generated Client Certificate"subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuerkeyUsage = critical, nonRepudiation, digitalSignature, keyEnciphermentextendedKeyUsage = clientAuth, emailProtection
[crl_ext]authorityKeyIdentifier = keyid:always
[ocsp]basicConstraints = CA:FALSEsubjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuerkeyUsage = critical, digitalSignatureextendedKeyUsage = critical, OCSPSigning
[staging_server_cert]basicConstraints = CA:FALSEnsCertType = servernsComment = "OpenSSL Generated Server Certificate"subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuer:alwayskeyUsage = critical, digitalSignature, keyEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @staging_alt_names
[staging_alt_names]DNS.0 = teleport-staging-fluentd-headless.teleport-cluster-staging.svc.cluster.localDNS.1 = *.teleport-staging-fluentd-headless.teleport-cluster-staging.svc.cluster.localDNS.2 = teleport-staging-fluentd-aggregator.teleport-cluster-staging.svc.cluster.localDNS.3 = *.teleport-staging-fluentd-aggregator.teleport-cluster-staging.svc.cluster.local
[production_server_cert]basicConstraints = CA:FALSEnsCertType = servernsComment = "OpenSSL Generated Server Certificate"subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuer:alwayskeyUsage = critical, digitalSignature, keyEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @production_alt_names
[production_alt_names]DNS.0 = teleport-production-fluentd-headless.teleport-cluster-production.svc.cluster.localDNS.1 = *.teleport-production-fluentd-headless.teleport-cluster-production.svc.cluster.localDNS.2 = teleport-production-fluentd-aggregator.teleport-cluster-production.svc.cluster.localDNS.3 = *.teleport-production-fluentd-aggregator.teleport-cluster-production.svc.cluster.localMakefile
key_len := 4096staging_dir := stagingproduction_dir := production
.PHONY: gen-staginggen-staging: mkdir -p $(staging_dir) rm -f $(staging_dir)/*
openssl genrsa -out $(staging_dir)/ca.key $(key_len) chmod 444 $(staging_dir)/ca.key openssl req -config openssl.conf -key $(staging_dir)/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -subj "/CN=ca" -out $(staging_dir)/ca.crt
openssl genrsa -out $(staging_dir)/client.key $(key_len) chmod 444 $(staging_dir)/client.key openssl req -config openssl.conf -subj "/CN=teleport-event-handler" -key $(staging_dir)/client.key -new -out $(staging_dir)/client.csr openssl x509 -req -in $(staging_dir)/client.csr -CA $(staging_dir)/ca.crt -CAkey $(staging_dir)/ca.key -CAcreateserial -days 365 -out $(staging_dir)/client.crt -extfile openssl.conf -extensions client_cert
openssl genrsa -out $(staging_dir)/server.key $(key_len) chmod 444 $(staging_dir)/server.key openssl req -config openssl.conf -subj "/CN=fluentd-aggregator" -key $(staging_dir)/server.key -new -out $(staging_dir)/server.csr openssl x509 -req -in $(staging_dir)/server.csr -CA $(staging_dir)/ca.crt -CAkey $(staging_dir)/ca.key -CAcreateserial -days 365 -out $(staging_dir)/server.crt -extfile openssl.conf -extensions staging_server_cert
.PHONY: gen-productiongen-production: mkdir -p $(production_dir) rm -f $(production_dir)/*
openssl genrsa -out $(production_dir)/ca.key $(key_len) chmod 444 $(production_dir)/ca.key openssl req -config openssl.conf -key $(production_dir)/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -subj "/CN=ca" -out $(production_dir)/ca.crt
openssl genrsa -out $(production_dir)/client.key $(key_len) chmod 444 $(production_dir)/client.key openssl req -config openssl.conf -subj "/CN=teleport-event-handler" -key $(production_dir)/client.key -new -out $(production_dir)/client.csr openssl x509 -req -in $(production_dir)/client.csr -CA $(production_dir)/ca.crt -CAkey $(production_dir)/ca.key -CAcreateserial -days 365 -out $(production_dir)/client.crt -extfile openssl.conf -extensions client_cert
openssl genrsa -out $(production_dir)/server.key $(key_len) chmod 444 $(production_dir)/server.key openssl req -config openssl.conf -subj "/CN=fluentd-aggregator" -key $(production_dir)/server.key -new -out $(production_dir)/server.csr openssl x509 -req -in $(production_dir)/server.csr -CA $(production_dir)/ca.crt -CAkey $(production_dir)/ca.key -CAcreateserial -days 365 -out $(production_dir)/server.crt -extfile openssl.conf -extensions production_server_certRun the make gen-staging command for generating certificates for the teleport-staging cluster,
and the make gen-production command for the teleport-production cluster.
Next, update the Vault secret as follows.
$ vault login -method oidc$ vault kv put k8s/ops-central/teleport-cluster-production/fluentd-certs \ ca.crt="$(cat ca.crt)" \ server.crt="$(cat server.crt)" \ server.key="$(cat server.key)" \ client.crt="$(cat client.crt)" \ client.key="$(cat client.key)"Finally, get the latest secret version from the Vault and update the teleport-cluster release
here.
Google Cloud Pub/Sub Configurations
Section titled “Google Cloud Pub/Sub Configurations”Fluentd uses fluent-plugin-gcloud-pubsub-custom gem for sending the audit events to the following Google Cloud Pub/Sub topics:
projects/gitlab-teleport-staging/topics/teleport-staging-eventsprojects/gitlab-teleport-production/topics/teleport-production-events
We use a custom-built OCI (Docker) image with the fluent-plugin-gcloud-pubsub-custom gem baked into the image.
You can update/modify this image here.
We use Workload Identity for authenticating to Google Cloud. The Workload Identity is configured here and the required Roles are configured here.