Security

How to encrypt password when creating custom alert actions in Splunk Add-on Builder?

diwaly2019
New Member

Hi all,

I am using the custom alert action with the Python script to SSH to our Fortigate firewalls and restart the URL filter daemon using one specific Fortigate CLI command. Initially I did not use Splunk Add-on Builder and simply manually edit the alert_actions.conf, app.conf and UI etc.. The python script under the bin folder of app fetch the payload and reads the host field and based on that, use Paramiko module to SSH to the remote Fortigate firewall and execute CLI command to restart the urlfilter daemon. The script is ok however I had to hardcode the username and password in the script. That makes me turn to Splunk Add-on Builder.

Unfortunately I don't know how to add the account for credential storage. I cannot even find where to add account. Did try the global account setting however got the error of "Global Settings Could not be saved".

Could u please advise what I can do to achieve the credential storage with password encrypted so I can use API call to fetch the credential for SSH login?

Thank you!

David

0 Karma
1 Solution

manjunathmeti
Champion

Hi @diwaly2019,
Create app setup page (setup.xml in /default) that accepts user credentials and update python script to read credentials:

setup.xml

<setup>
<block title="Add new credentials" endpoint="storage/passwords" entity="_new">
  <input field="name">
    <label>Username</label>
    <type>text</type>
  </input>

  <input field="password">
    <label>Password</label>
    <type>password</type>
  </input>
</block>
</setup>

Python code:

import json
import splunk.entity as entity

if __name__ == "__main__":
    app = "<app_name>where_credentials_stored"
    try:
        settings = json.loads(sys.stdin.read())
        config = settings['configuration']
        entities = entity.getEntities(['admin', 'passwords'], namespace=app, owner='nobody', sessionKey=settings['session_key'])
        i, c = entities.items()[0]
        user, password = c['username'], c['clear_password']
    except Exception as e:
        print >> sys.stderr, "ERROR Unexpected error: %s" % e
        sys.exit(1)

Credentials are stored in passwords.conf in your app.

View solution in original post

0 Karma

diwaly2019
New Member

Hi @manjunathmeti ,

That worked for me! Thanks for your help.

Regards,
David

0 Karma

manjunathmeti
Champion

Hi @diwaly2019,
Create app setup page (setup.xml in /default) that accepts user credentials and update python script to read credentials:

setup.xml

<setup>
<block title="Add new credentials" endpoint="storage/passwords" entity="_new">
  <input field="name">
    <label>Username</label>
    <type>text</type>
  </input>

  <input field="password">
    <label>Password</label>
    <type>password</type>
  </input>
</block>
</setup>

Python code:

import json
import splunk.entity as entity

if __name__ == "__main__":
    app = "<app_name>where_credentials_stored"
    try:
        settings = json.loads(sys.stdin.read())
        config = settings['configuration']
        entities = entity.getEntities(['admin', 'passwords'], namespace=app, owner='nobody', sessionKey=settings['session_key'])
        i, c = entities.items()[0]
        user, password = c['username'], c['clear_password']
    except Exception as e:
        print >> sys.stderr, "ERROR Unexpected error: %s" % e
        sys.exit(1)

Credentials are stored in passwords.conf in your app.

0 Karma

diwaly2019
New Member

Hi all,

I found below link that may address my question however could not get below statement.

http://www.georgestarcher.com/splunk-stored-encrypted-credentials/

The Add-on Builder provides an alternative solution that does encrypt credentials. You have to use the Add-on Setup Parameters panel and check the Add Account box. This lets you build a setup page you can enter credentials in for the TA. Those credentials will be stored in passwords.conf for the TA’s app context.

I could not find "Add Account" box to check.

Anyway, if this does not work for me. I probably will turn back to the original solution and use another config file to store the password and use some linux tools to encrypt the config file.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...