All Apps and Add-ons

Splunk Add-on for Nessus Tenable API: Getting error "Fail to decrypt the encrypted credential information - not well-formed (invalid token)"?

jonathan_cooper
Communicator

I have the latest TA Nessus installed and it was working fine for about a week importing nessus reports through the Tenable API calls. It then stopped indexing events and reported the following error(s):

2016-08-08 17:04:27,658 +0000 log_level=ERROR, pid=18084, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main config_cls=configer_cls) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config return config_cls(meta_config, settings) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 24, in __init__ self._load_task_configs() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 48, in _load_task_configs self._client_schema) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 67, in __init__ self._load_conf_contents() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 93, in _load_conf_contents self._all_conf_contents = self._config.load() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/config.py", line 127, in load raise ConfigException(msg) ConfigException: Fail to load endpoint "global_settings" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"\n In handler 'ta_tenable_settings': External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 135, column 41'. See splunkd.log for stderr output."}]}

as well as:

2016-08-08 17:04:27,658 +0000 log_level=ERROR, pid=18084, tid=MainThread, file=config.py, func_name=log, code_line_no=50 | UCC Config Module: Fail to load endpoint "global_settings" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"\n In handler 'ta_tenable_settings': External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 135, column 41'.  See splunkd.log for stderr output."}]}
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py", line 21, in <module>
    ta_run()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py", line 17, in ta_run
    ta_input.main(collector_cls, schema_file_path, 'tenable_sc')
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
    config_cls=configer_cls)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
    tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config
    return config_cls(meta_config, settings)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 24, in __init__
    self._load_task_configs()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 48, in _load_task_configs
    self._client_schema)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 67, in __init__
    self._load_conf_contents()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 93, in _load_conf_contents
    self._all_conf_contents = self._config.load()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/config.py", line 126, in load
    log(msg, level=logging.ERROR, need_tb=True)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/config.py", line 48, in log
    stack = ''.join(traceback.format_stack())
None

I've tried restarting the Heavy Forwarder that is collecting it, as well as changing the "start_time" located in the tenable_sc_inputs.conf to try and reset the checkpoint information, but no luck.

1 Solution

jbailey_splunk
Splunk Employee
Splunk Employee

Resolution:

Edit the following file on the HF: Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py
Insert the following at Line 138 within the file: Code: self._cookie = self._cookie[74:]
Save the file
Restart Splunk

View solution in original post

johnmccash
Explorer

We just discovered a similar problem with another add-on (qualys, in our case), but the culprit turned out to be the exact same add-on, (on three different hosts) SA-ldapsearch. I'm guessing there must be a bug in some version of this or some related component, that causes this corruption in the clear_password field. Can someone from Splunk confirm that, and provide information on when/whether the problem is fixed?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@johnmccash, This is an old question with an accepted answer. For better chances at a helpful response, please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

perfecto25
Path Finder

was able to resolve this issue with support's help,

1) Access this url and fetch all content of passwords.conf, please do add "count=-1" to list all stanzas:
https://:8089/servicesNS/nobody/-/storage/passwords?output_mode=json&count=-1

2) Format the json by any tool you are familiar with and check “content->clear_password” for each item under “object->entry”. If the clear_password is garbled, then copy this item’s “id” out and delete it

Delete it by:

> curl -k -u <user:password> -X DELETE <url from id part>
sample operation for above case:
> curl -k -u admin:admin -X DELETE 
> https://10.66.137.43:8089/servicesNS/nobody/Splunk_TA_microsoft-clouds
> ervices/storage/passwords/__REST_CREDENTIAL__%23Splunk_TA_microsoft-of
> fice365%23testtest%3A123%3A

After above steps, please remember to reconfigure the passwords for deleted stanzas.

Turns out another add-on had a corrupt or bad password, this is whats screwing up Tenable.

this is what my json lookslike

 "entry": [
    {
      "content": {
        "username": "default",
        "realm": "SA-ldapsearch",
        "password": "********",
        "encr_password": "$1$IJYiBLKN31eZ+i5t7/Acj7",
        "eai:acl": null,
        "clear_password": "�\u0012!�8|\u001a��c|��\u0013�"
      },
      "acl": {
        "sharing": "global",
        "removable": true,
        "perms": {
          "write": [
            "admin",
            "it"
          ],
          "read": [
            "it"
          ]
        },
        "owner": "joe.sixpack",
        "app": "SA-ldapsearch",
        "can_change_perms": true,
        "can_list": true,
        "can_share_app": true,
        "can_share_global": true,
        "can_share_user": true,
        "can_write": true,
        "modifiable": true
      },
      "author": "joe.sixpack",
      "links": {
        "remove": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A",
        "edit": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A",
        "_reload": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A/_reload",
        "list": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A",
        "alternate": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A"
      },
      "updated": "2017-05-03T08:35:08-04:00",
      "id": "https://SPLUNK:8089/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A",
      "name": "SA-ldapsearch:default:"

I opened up the SA-ldapsearch addon, changed the configured password , restarted splunk and tenable now works properly.

0 Karma

perfecto25
Path Finder

I never got this to work right. Ended up writing a py script to get scan data out as CSV, and then have Splunk read this CSV off a forwarder, and then created some dashboards around this. Works nicely. Let me knwo if you need the script.

0 Karma

nikkkc
Path Finder

I get the same issue. i tested this out in my testenvironment and i figured out that this issue is only if splunk run on linux. on windows, the same version of splunk and tenable 5.1.1 work like a charm.

0 Karma

perfecto25
Path Finder

py script

https://gist.github.com/perfecto25/71c50288150180911ecc6cd7f355969e

it downloads the scan as a csv to wherever you run the script from, then I have splunk feed in that csv data via a forwarder, and then you can create dashboards

0 Karma

jat75
Explorer

Yeah I'd like to take a look at the script too. Does it work with SC or directly with Nessus? Thanks!

0 Karma

Blu3fish
Path Finder

I'd definitely be interested in your script if you're willing to share it out. Cheers

0 Karma

perfecto25
Path Finder

getting this error as well,

Splunk Version
6.5.2
Splunk Build
67571ef4b87d

Current Application: Splunk Add-on for Tenable

App Version
5.1.1
App Build
2

Searching this index,

index=_internal sourcetype=tenable:sc:log source="/opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log"

getting same error

0000 log_level=ERROR, pid=19605,
tid=MainThread, file=config.py,
func_name=log, code_line_no=50 | UCC
Config Module: Fail to load endpoint
"global_settings" - Unspecified
internal server error.
reason={"messages":[{"type":"ERROR","text":"External
handler failed with code '1' and
output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential
information - not well-formed (invalid
token): line 33, column 37'. See
splunkd.log for stderr output."
}]}

File
"/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py",
line 21, in

I upgraded the Tenable add-on recently, not sure if this is related to the upgrade. My security_center.py perform_request def looks like this,

def perform_request(self, method, path, data=None):
        # build headers
        headers = {'Content-Type': 'application/json'}
        if self._token is not None:
            headers['X-SecurityCenter'] = self._token
        if self._cookie is not None:
            headers['Cookie'] = self._cookie

        # Only convert the data to JSON if there is data.
        if data is not None:
            data = json.dumps(data)

        # make a request
        if self._proxy_config:
            http = sr.build_http_connection(
                config=self._proxy_config,
                timeout=self._timeout,
                disable_ssl_validation=
                self._disable_ssl_certificate_validation)
        else:
            http = httplib2.Http(timeout=self._timeout,
                                 disable_ssl_certificate_validation=
                                 self._disable_ssl_certificate_validation)

        response, content = http.request(
            self._uri(path), method, data, headers)

        if path.find('download') != -1:
            return content

        result = json.loads(content)

        self._error_check(response, result)

        set_cookie = response.get('set-cookie')

        if set_cookie:
            self._cookie = set_cookie[set_cookie.find(',') + 1:].strip()
            stulog.logger.debug('{} set-cookie={}'.format(self._logger_prefix,
                                                          set_cookie))
            stulog.logger.debug('{} self._cookie={}'.format(
                self._logger_prefix, self._cookie))

        return result['response']

,Im getting the same error when upgrading the Tenable addon to version 5.1.1

looking in

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@perfecto25 - It looks like some text got cut off at the bottom. Also, this question is quite old so it may not garner much activity. I would suggest posting a new question.

0 Karma

jbailey_splunk
Splunk Employee
Splunk Employee

Resolution:

Edit the following file on the HF: Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py
Insert the following at Line 138 within the file: Code: self._cookie = self._cookie[74:]
Save the file
Restart Splunk

stmyers84
Explorer

This worked for me, thanks!

0 Karma

jat75
Explorer

Do we know if this fix works for when using Security Center 5.4+ or is it as @worshamn says below and 5.4+ just isn't supported yet? Thanks!

0 Karma

worshamn
Contributor

@jbailey's provided fix worked for 5.4

0 Karma

jat75
Explorer

I am running SC 5.4.2...wonder if that's why I am seeing this. Or maybe I applied the line of code wrong. Could you tell me which line comes before/after the line you added from jbailey? I have code on line 138 so i wasn't sure if it should go before or after said line.

To be clear i am getting this error message when trying to add a Security Center server to the TA config.

Thanks @worshamn !

0 Karma

demeonusmint
New Member

Hey jat75,
ever got this working? I am having the same issue.

0 Karma

jat75
Explorer

After many restarts of our splunk boxes (all of them) it magically started working and I was able to add my security center box to the app configuration. However, I gave up on this because to make this work it also needs a heavy forwarder. This rings as rather odd to me when you are essentially using REST and login creds for your SC box to be able to login and pull back data. Shouldn't need a heavy forwarder IMO...and I don't have time to build one. Nor have I even seen what benefit there is to hooking them together. Not even a screenshot. So for now I just login to SC to view my vuln data. Thanks.

0 Karma

gdavid
Path Finder

which version is this fix for? i just tried it on 5.1.1 and its not working.

0 Karma

stmyers84
Explorer

I believe this was originally for 5.0, but then fixed in 5.1.0 which is the version I'm currently on.

0 Karma

gdavid
Path Finder

5.1.1 installed and seeing the same problem.

output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 33, column 47'. See splunkd.log for stderr output."}]}
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py"

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...