Security

Credentials Encryption in bash script

jadengoho
Builder

Hi All,

I have this short bash script, and i want to encrypt the admin and changeme credentials, cause it is displayed on clear text.

 

 

#!/bin/bash

/opt/splunk/bin/splunk set minfreemb 1000 -auth admin:changeme
/opt/splunk/bin/splunk edit user test01 -force-change-pass true -auth admin:changeme

 

 

Is there any way to achieve this.

Labels (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

In my minds there is at least two options, cannot say if those are suitable for you.

  1. If possible login first into splunk and then run that script without user pass options. Just enter into cmd line "splunk login" then enter user + pass. Of course this needs that you can run this first part manually. After that there are login token under Splunk User until it expires.
  2. Use ansible with vault and there is an option no_log which prevent writing password to log files. https://docs.ansible.com/ansible/latest/reference_appendices/logging.html

r. Ismo

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

In my minds there is at least two options, cannot say if those are suitable for you.

  1. If possible login first into splunk and then run that script without user pass options. Just enter into cmd line "splunk login" then enter user + pass. Of course this needs that you can run this first part manually. After that there are login token under Splunk User until it expires.
  2. Use ansible with vault and there is an option no_log which prevent writing password to log files. https://docs.ansible.com/ansible/latest/reference_appendices/logging.html

r. Ismo

0 Karma

jadengoho
Builder

HI @isoutamo 

Can the first option process this ?

/opt/splunk/bin/splunk add search-server https://<IPADDRESS>-auth admin:changeme -remoteUsername <ADMIN>-remotePassword <PASS>

0 Karma

isoutamo
SplunkTrust
SplunkTrust

It can handle the first part, but not the last --remotePassword.

I prefer to use ansible for those. Another way is store those to env variables as 

read remotePass 
<add pass here, then Ctlr+D>
splunk .... -remotePassword $remotePass

 When you want to use any password on scripts you must have vault password somewhere which need to enter/get from files/<your method here> to used to decrypt the encrypted password from file.

I haven't try to use tokens with this kind of issues. Basically it could be possible to define token and then use curl (instead of traditional cli) for those tasks where it's suitable. That way you don't need to write that password as a clear text into bash files. Anyhow that token is there and anyone who get it can do anything what is allowed with it (that user).

This is one reason why I prefer ansible with vault from centralised ctrl node. Then I have only one place where I must restrict access and ensure that it's security level is enough high.

r. Ismo

0 Karma

jadengoho
Builder

Thanks @isoutamo 

I manage to create a BASH script that will run ansible playbook for docker containers.

 

Bash script: - using "-e" to pass the parameters from the bash script to ansible playbook.

ansible-playbook splunk_docker_creation.yml -e docker_folder_path=${docker_folder_path} -e folder_to_find=${folder_to_find} -e splunk_mount_path=${splunk_mount_path} -e base_port=${port} -e splunk_container_port=${splunk_container_port} -e username=${username} --vault-password-file /somewhere/pass

 

Ansible Playbook - since i need to run a script for the docker i use this script

- name: Setting minfreemb to 1000
  shell: docker exec --user root {{ dockercontainername }} bash -c '/opt/splunk/bin/splunk set minfreemb 1000 -auth admin:{{ SplunkDefaultAdminCredentials }}'
  no_log: true

 
and as suggested i use ansible vault to secure the password with the no_log and put the key into a secured file.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...