CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add so-user-disable script which deletes the SOC user and disables the users in Fleet, TheHive, and Cortex

Browse Source
This commit is contained in:
Jason Ertel
2020-09-02 13:54:44 -04:00
parent 9d85b3223f
commit 0142f43493
8 changed files with 182 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/common/tools/sbin/so-cortex-user-add
View File

@@ -47,7 +47,7 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type:
if [[ "$resp" =~ \"status\":\"Ok\" ]]; then if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
echo "Successfully added user to Cortex." echo "Successfully added user to Cortex."
else else
echo "Failed to add user to Cortex." echo "Unable to add user to Cortex; user might already exist."
exit 2 exit 2
fi fi

56
salt/common/tools/sbin/so-cortex-user-enable Executable file
View File

@@ -0,0 +1,56 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <user-name> <true|false>"
echo ""
echo "Enables or disables a user in Cortex."
exit 1
}
if [ $# -ne 2 ]; then
usage
fi
USER=$1
CORTEX_KEY=$(lookup_pillar cortexkey)
CORTEX_IP=$(lookup_pillar managerip)
CORTEX_USER=$USER
case "${2^^}" in
FALSE | NO | 0)
CORTEX_STATUS=Locked
;;
TRUE | YES | 1)
CORTEX_STATUS=Ok
;;
*)
usage
;;
esac
resp=$(curl -sk -XPATCH -H "Authorization: Bearer $CORTEX_KEY" -H "Content-Type: application/json" "https://$CORTEX_IP/cortex/api/user/${CORTEX_USER}" -d "{\"status\":\"${CORTEX_STATUS}\" }")
if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
echo "Successfully updated user in Cortex."
else
echo "Failed to update user in Cortex."
exit 2
fi

2
salt/common/tools/sbin/so-fleet-user-add
View File

@@ -53,6 +53,6 @@ MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
echo "Successfully added user to Fleet." echo "Successfully added user to Fleet."
else else
echo "Failed to add user to Fleet." echo "Unable to add user to Fleet; user might already exist."
exit 2 exit 2
fi fi

57
salt/common/tools/sbin/so-fleet-user-enable Executable file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <user-name>"
echo ""
echo "Enables or disables a user in Fleet."
exit 1
}
if [ $# -ne 2 ]; then
usage
fi
USER=$1
MYSQL_PASS=$(lookup_pillar_secret mysql)
FLEET_IP=$(lookup_pillar fleet_ip)
FLEET_USER=$USER
case "${2^^}" in
FALSE | NO | 0)
FLEET_STATUS=0
;;
TRUE | YES | 1)
FLEET_STATUS=1
;;
*)
usage
;;
esac
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
"UPDATE users SET enabled=$FLEET_STATUS WHERE username='$FLEET_USER'" 2>&1)
if [[ $? -eq 0 ]]; then
echo "Successfully updated user in Fleet."
else
echo "Failed to update user in Fleet."
exit 2
fi

3
salt/common/tools/sbin/so-thehive-user-add
View File

@@ -46,7 +46,6 @@ resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type:
if [[ "$resp" =~ \"status\":\"Ok\" ]]; then if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
echo "Successfully added user to TheHive." echo "Successfully added user to TheHive."
else else
echo "Failed to add user to TheHive." echo "Unable to add user to TheHive; user might already exist."
echo $resp
exit 2 exit 2
fi fi

57
salt/common/tools/sbin/so-thehive-user-enable Executable file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <user-name> <true|false>"
echo ""
echo "Enables or disables a user in thehive."
exit 1
}
if [ $# -ne 2 ]; then
usage
fi
USER=$1
THEHIVE_KEY=$(lookup_pillar hivekey)
THEHIVE_IP=$(lookup_pillar managerip)
THEHIVE_USER=$USER
case "${2^^}" in
FALSE | NO | 0)
THEHIVE_STATUS=Locked
;;
TRUE | YES | 1)
THEHIVE_STATUS=Ok
;;
*)
usage
;;
esac
resp=$(curl -sk -XPATCH -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user/${THEHIVE_USER}" -d "{\"status\":\"${THEHIVE_STATUS}\" }")
if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
echo "Successfully updated user in thehive."
else
echo "Failed to update user in thehive."
echo "$resp"
exit 2
fi

11
salt/common/tools/sbin/so-user
View File

@@ -179,9 +179,9 @@ case "${operation}" in
validateEmail "$email" validateEmail "$email"
createUser "$email" createUser "$email"
echo "Successfully added new user to SOC" echo "Successfully added new user to SOC"
check_container thehive && echo $password | so-thehive-user-add "$email" check_container thehive && (echo $password | so-thehive-user-add "$email" || so-thehive-user-enable "$email" true)
check_container cortex && echo $password | so-cortex-user-add "$email" check_container cortex && (echo $password | so-cortex-user-add "$email" || so-cortex-user-enable "$email" true)
check_container fleet && echo $password | so-fleet-user-add "$email" check_container fleet && (echo $password | so-fleet-user-add "$email" || so-fleet-user-enable "$email" true)
;; ;;
"list") "list")
@@ -202,7 +202,10 @@ case "${operation}" in
[[ "$email" == "" ]] && fail "Email address must be provided" [[ "$email" == "" ]] && fail "Email address must be provided"
deleteUser "$email" deleteUser "$email"
echo "Successfully deleted user" echo "Successfully deleted user"
check_container thehive && so-thehive-user-enable "$email" false
check_container cortex && so-cortex-user-enable "$email" false
check_container fleet && so-fleet-user-enable "$email" false
;; ;;
"validate") "validate")

2
salt/common/tools/sbin/so-user-disable Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/bash
so-user delete $*