Action Confirmations Proposal

Empire exposes some pretty powerful features, like allowing you to easily run and attach to a container inside your infrastructure. Obviously, this poses a potential security risk. While work is being done to add more granular access control, that still doesn't fully solve the problem of an employees laptop getting stolen, or an API key being exposed.

To address this, we'd like to propose "Action Confirmations" (name suggestions?). When invoking a potentially sensitive command, Empire will be able to consult a third party, to request confirmation that the action being performed should be allowed. If the action is malicious (e.g. a leaked API token), then it can be denied.

To start, we plan to implement a Duo integration, using 2fa push notifications. When a sensitive action is performed, Empire would send the user a Duo push. Once the user confirms the action, Empire will continue.

In the future, this could be expanded to support other means of confirmation. For example, I could envision a slack integration that sends the user a DM for confirmation, or posts to a channel asking for multiple users to confirm the action.

Implementation

Implementation wise, this will just be a simple interface that the empire.Empire struct will consult to authorize the action:

// ActionConfirmer is an interface that can be implemented to confirm that an
// action is allowed.
type ActionConfirmer interface {
        // Confirm should notify the third party of the action being performed,
        // then block until the action has been confirmed.
        Confirm(ctx context.Context, user *empire.User, action string, resource string, params map[string]string) (bool, error)
}

This may dovetail into the policy documents being added in https://github.com/remind101/empire/pull/987 to configure what Empire actions should require confirmation.