topic Re: Credentials Encryption in bash script in Security

Credentials Encryption in bash script

jadengoho — Thu, 16 Dec 2021 07:12:12 GMT

Hi All,

I have this short bash script, and i want to encrypt the admin and changeme credentials, cause it is displayed on clear text.

#!/bin/bash /opt/splunk/bin/splunk set minfreemb 1000 -auth admin:changeme /opt/splunk/bin/splunk edit user test01 -force-change-pass true -auth admin:changeme

Is there any way to achieve this.

Re: Credentials Encryption in bash script

isoutamo — Thu, 16 Dec 2021 08:21:47 GMT

In my minds there is at least two options, cannot say if those are suitable for you.

If possible login first into splunk and then run that script without user pass options. Just enter into cmd line "splunk login" then enter user + pass. Of course this needs that you can run this first part manually. After that there are login token under Splunk User until it expires.
Use ansible with vault and there is an option no_log which prevent writing password to log files. https://docs.ansible.com/ansible/latest/reference_appendices/logging.html

r. Ismo

Re: Credentials Encryption in bash script

jadengoho — Thu, 16 Dec 2021 08:28:30 GMT

HI @isoutamo

Can the first option process this ?

/opt/splunk/bin/splunk add search-server https://<IPADDRESS>-auth admin:changeme -remoteUsername <ADMIN>-remotePassword <PASS>

Re: Credentials Encryption in bash script

isoutamo — Thu, 16 Dec 2021 08:46:21 GMT

It can handle the first part, but not the last --remotePassword.

I prefer to use ansible for those. Another way is store those to env variables as

read remotePass <add pass here, then Ctlr+D> splunk .... -remotePassword $remotePass

When you want to use any password on scripts you must have vault password somewhere which need to enter/get from files/<your method here> to used to decrypt the encrypted password from file.

I haven't try to use tokens with this kind of issues. Basically it could be possible to define token and then use curl (instead of traditional cli) for those tasks where it's suitable. That way you don't need to write that password as a clear text into bash files. Anyhow that token is there and anyone who get it can do anything what is allowed with it (that user).

This is one reason why I prefer ansible with vault from centralised ctrl node. Then I have only one place where I must restrict access and ensure that it's security level is enough high.

r. Ismo

Re: Credentials Encryption in bash script

jadengoho — Thu, 16 Dec 2021 12:39:07 GMT

Thanks @isoutamo

I manage to create a BASH script that will run ansible playbook for docker containers.

Bash script: - using "-e" to pass the parameters from the bash script to ansible playbook.

ansible-playbook splunk_docker_creation.yml -e docker_folder_path=${docker_folder_path} -e folder_to_find=${folder_to_find} -e splunk_mount_path=${splunk_mount_path} -e base_port=${port} -e splunk_container_port=${splunk_container_port} -e username=${username} --vault-password-file /somewhere/pass

Ansible Playbook - since i need to run a script for the docker i use this script

- name: Setting minfreemb to 1000 shell: docker exec --user root {{ dockercontainername }} bash -c '/opt/splunk/bin/splunk set minfreemb 1000 -auth admin:{{ SplunkDefaultAdminCredentials }}' no_log: true

and as suggested i use ansible vault to secure the password with the no_log and put the key into a secured file.