Security

How to encrypt password when creating custom alert actions in Splunk Add-on Builder?

diwaly2019
New Member

Hi all,

I am using the custom alert action with the Python script to SSH to our Fortigate firewalls and restart the URL filter daemon using one specific Fortigate CLI command. Initially I did not use Splunk Add-on Builder and simply manually edit the alert_actions.conf, app.conf and UI etc.. The python script under the bin folder of app fetch the payload and reads the host field and based on that, use Paramiko module to SSH to the remote Fortigate firewall and execute CLI command to restart the urlfilter daemon. The script is ok however I had to hardcode the username and password in the script. That makes me turn to Splunk Add-on Builder.

Unfortunately I don't know how to add the account for credential storage. I cannot even find where to add account. Did try the global account setting however got the error of "Global Settings Could not be saved".

Could u please advise what I can do to achieve the credential storage with password encrypted so I can use API call to fetch the credential for SSH login?

Thank you!

David

0 Karma
1 Solution

manjunathmeti
Champion

Hi @diwaly2019,
Create app setup page (setup.xml in /default) that accepts user credentials and update python script to read credentials:

setup.xml

<setup>
<block title="Add new credentials" endpoint="storage/passwords" entity="_new">
  <input field="name">
    <label>Username</label>
    <type>text</type>
  </input>

  <input field="password">
    <label>Password</label>
    <type>password</type>
  </input>
</block>
</setup>

Python code:

import json
import splunk.entity as entity

if __name__ == "__main__":
    app = "<app_name>where_credentials_stored"
    try:
        settings = json.loads(sys.stdin.read())
        config = settings['configuration']
        entities = entity.getEntities(['admin', 'passwords'], namespace=app, owner='nobody', sessionKey=settings['session_key'])
        i, c = entities.items()[0]
        user, password = c['username'], c['clear_password']
    except Exception as e:
        print >> sys.stderr, "ERROR Unexpected error: %s" % e
        sys.exit(1)

Credentials are stored in passwords.conf in your app.

View solution in original post

0 Karma

diwaly2019
New Member

Hi @manjunathmeti ,

That worked for me! Thanks for your help.

Regards,
David

0 Karma

manjunathmeti
Champion

Hi @diwaly2019,
Create app setup page (setup.xml in /default) that accepts user credentials and update python script to read credentials:

setup.xml

<setup>
<block title="Add new credentials" endpoint="storage/passwords" entity="_new">
  <input field="name">
    <label>Username</label>
    <type>text</type>
  </input>

  <input field="password">
    <label>Password</label>
    <type>password</type>
  </input>
</block>
</setup>

Python code:

import json
import splunk.entity as entity

if __name__ == "__main__":
    app = "<app_name>where_credentials_stored"
    try:
        settings = json.loads(sys.stdin.read())
        config = settings['configuration']
        entities = entity.getEntities(['admin', 'passwords'], namespace=app, owner='nobody', sessionKey=settings['session_key'])
        i, c = entities.items()[0]
        user, password = c['username'], c['clear_password']
    except Exception as e:
        print >> sys.stderr, "ERROR Unexpected error: %s" % e
        sys.exit(1)

Credentials are stored in passwords.conf in your app.

0 Karma

diwaly2019
New Member

Hi all,

I found below link that may address my question however could not get below statement.

http://www.georgestarcher.com/splunk-stored-encrypted-credentials/

The Add-on Builder provides an alternative solution that does encrypt credentials. You have to use the Add-on Setup Parameters panel and check the Add Account box. This lets you build a setup page you can enter credentials in for the TA. Those credentials will be stored in passwords.conf for the TA’s app context.

I could not find "Add Account" box to check.

Anyway, if this does not work for me. I probably will turn back to the original solution and use another config file to store the password and use some linux tools to encrypt the config file.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...