Action Confirmations Proposal

Empire exposes some pretty powerful features, like allowing you to easily run and attach to a container inside your infrastructure. Obviously, this poses a potential security risk. While work is being done to add more granular access control, that still doesn't fully solve the problem of an employees laptop getting stolen, or a users API key being exposed.

To address this, we'd like to propose "Action Confirmations" (name suggestions?). When invoking a potentially sensitive command, Empire will be able to consult a third party, to request confirmation that the action being performed should be allowed. If the action is malicious (e.g. a leaked API token), then it can be denied.

To start, we plan to implement a Duo integration, using 2fa push notifications. When a sensitive action is performed, Empire would send the user a Duo push. Once the user confirms the action, Empire will continue.

In the future, this could be expanded to support other means of confirmation. For example, I could envision a slack integration that sends the user a DM for confirmation, or posts to a channel asking for multiple users to confirm the action.

Implementation

Implementation wise, this will just be a simple interface that the empire.Empire struct will consult to authorize the action:

// ActionConfirmer is an interface that can be implemented to confirm that an
// action is allowed.
type ActionConfirmer interface {
        // Confirm should notify the third party of the action being performed,
        // then block until the action has been confirmed.
        Confirm(ctx context.Context, user *empire.User, action string, resource string, params map[string]string) (bool, error)
}

This may dovetail into the policy documents being added in https://github.com/remind101/empire/pull/987 to configure what Empire actions should require confirmation.