All Apps and Add-ons

Splunk Addon Builder 4 package resetting password.conf entries to ********

Ludvik
Explorer

All, 

I built a previous TA and upgrades worked fine in the past. My recent TA build with AOB 4.0 has an issue where the the modular input passwords in password.conf are all erased and set to ******** (exactly 8). I have tried to debug this every possible way I could. Has anyone seen an issue where passwords were reset with all asterisks? I know from the the logs that this occurs immediately after the upgrade but the logs don't shed light on why the reset occurs.    

 

clear_password{"api_key": "********"}

 

I am ripping my hair out and I can't seem to figure why this is happening. Once I upgrade and try to upgrade to different build issue no longer occurs. 

 

Labels (1)
0 Karma
1 Solution

Ludvik
Explorer

This issue is specifically related to the new credentials.py under /aob_py[23]/splunktaucclib/rest_handler/credentials.py

The old magic password format as 8 '*' (asterisks), but the new lib is matching the formatting constant to six '*' (asterisks) to make it consistent with solnlib but it ultimately breaks exiting installs. 

 

To fix this you must patch the credentials.py to recognize the legacy format (eight astrisks) and rewrite the inputs.conf with the new six asterisks format. 

I simply added an additional condition to the _merge_passwords function to check for the old format, and to rewrite the new magic password. This fixes the problem for upgrades and future releases. 

 

elif existed_model["content"][k] == "********":
# set existing as raw value, magic pattern is the old one so rewrite this item to fix it.
existed_model["content"][k] = v
need_write_magic_pwd = True

View solution in original post

0 Karma

Ludvik
Explorer

The issue is related to the following python file packaged with AOB. On older versions of AOB packages the credential.py is looking for 8 asterisks in inputs.conf. In later versions it's looking for 6  asterisks, and as a result they overwrite values in password.conf. Basically, your password.conf file will have  8 asterisks encrypted in the resulting password.conf file. 

 

/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # if the field value is '********', keep the original value
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # original password does not exist, use '********' as password
/opt/splunk/etc/apps/TA-proofpoint-/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # if the field value is '********', keep the original value
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # original password does not exist, use '********' as password
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # if the field value is '********', keep the original value
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # original password does not exist, use '********' as password
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # if the field value is '********', keep the original value
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # original password does not exist, use '********' as password

 

 

0 Karma

Ludvik
Explorer

This issue is specifically related to the new credentials.py under /aob_py[23]/splunktaucclib/rest_handler/credentials.py

The old magic password format as 8 '*' (asterisks), but the new lib is matching the formatting constant to six '*' (asterisks) to make it consistent with solnlib but it ultimately breaks exiting installs. 

 

To fix this you must patch the credentials.py to recognize the legacy format (eight astrisks) and rewrite the inputs.conf with the new six asterisks format. 

I simply added an additional condition to the _merge_passwords function to check for the old format, and to rewrite the new magic password. This fixes the problem for upgrades and future releases. 

 

elif existed_model["content"][k] == "********":
# set existing as raw value, magic pattern is the old one so rewrite this item to fix it.
existed_model["content"][k] = v
need_write_magic_pwd = True

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...