From 77a9bf2697d1cac9f914434680a6f203e415c448 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Sep 2020 13:16:20 -0400 Subject: [PATCH 1/6] test single quotes in secrets pillar --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b383de6c9..3230d5e61 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -183,10 +183,10 @@ secrets_pillar(){ mkdir -p $local_salt_dir/pillar printf '%s\n'\ "secrets:"\ - " mysql: $MYSQLPASS"\ - " playbook: $PLAYBOOKPASS"\ - " fleet: $FLEETPASS"\ - " fleet_jwt: $FLEETJWT"\ + " mysql: '$MYSQLPASS'"\ + " playbook: '$PLAYBOOKPASS'"\ + " fleet: '$FLEETPASS'"\ + " fleet_jwt: '$FLEETJWT'"\ " fleet_enroll-secret: False" > $local_salt_dir/pillar/secrets.sls fi } From 70f98e2eea3ba2827ed8dbce2f46f7b3f98c8852 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 23 Sep 2020 13:00:18 -0400 Subject: [PATCH 2/6] take care single quotes if they are in the WEBPASSWD --- setup/so-functions | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 568cfb092..f5a9233e8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1137,15 +1137,16 @@ manager_global() { " airgap: False"\ >> "$global_pillar" fi + WEBPASSWD1CLEAN=$(echo $WEBPASSWD1|sed -e "s/'/''/g") # Check if TheHive is enabled. If so, add creds and other details if [[ "$THEHIVE" == "1" ]]; then printf '%s\n'\ " hiveuser: $WEBUSER"\ - " hivepassword: '$WEBPASSWD1'"\ + " hivepassword: '$WEBPASSWD1CLEAN'"\ " hivekey: $HIVEKEY"\ " hiveplaysecret: $HIVEPLAYSECRET"\ " cortexuser: $WEBUSER"\ - " cortexpassword: '$WEBPASSWD1'"\ + " cortexpassword: '$WEBPASSWD1CLEAN'"\ " cortexkey: $CORTEXKEY"\ " cortexorgname: SecurityOnion"\ " cortexorguser: soadmin"\ From 6f7dbee36e154c97d45b2b8c64bd294f5b7fb0ab Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 23 Sep 2020 14:57:26 -0400 Subject: [PATCH 3/6] remove single quotes from secrets pillar --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f5a9233e8..18bfbd819 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -183,10 +183,10 @@ secrets_pillar(){ mkdir -p $local_salt_dir/pillar printf '%s\n'\ "secrets:"\ - " mysql: '$MYSQLPASS'"\ - " playbook: '$PLAYBOOKPASS'"\ - " fleet: '$FLEETPASS'"\ - " fleet_jwt: '$FLEETJWT'"\ + " mysql: $MYSQLPASS"\ + " playbook: $PLAYBOOKPASS"\ + " fleet: $FLEETPASS"\ + " fleet_jwt: $FLEETJWT"\ " fleet_enroll-secret: False" > $local_salt_dir/pillar/secrets.sls fi } From 85e53c53af6617491963e37bc85742cbe23c542b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 28 Sep 2020 11:51:19 -0400 Subject: [PATCH 4/6] reject passwords with single or double quotes or backslashes --- salt/common/tools/sbin/so-common | 6 ++++++ salt/common/tools/sbin/so-fleet-user-add | 5 +++++ salt/common/tools/sbin/so-thehive-user-add | 5 +++++ setup/so-functions | 6 +++++- setup/so-whiptail | 7 +++++++ 5 files changed, 28 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 7f436a85d..e5ed79413 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -44,4 +44,10 @@ lookup_pillar_secret() { check_container() { docker ps | grep "$1:" > /dev/null 2>&1 return $? +} + +check_password() { + local password=$1 + echo "$password" | egrep -v "'|\"|\\\\" > /dev/null 2>&1 + return $? } \ No newline at end of file diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add index 265020091..4b6af2825 100755 --- a/salt/common/tools/sbin/so-fleet-user-add +++ b/salt/common/tools/sbin/so-fleet-user-add @@ -41,6 +41,11 @@ if [[ $? == 0 ]]; then fi read -rs FLEET_PASS +if ! check_password "$FLEET_PASS"; then + echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." + exit 2 +fi + FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1) if [[ $? -ne 0 ]]; then echo "Failed to generate Fleet password hash." diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add index 3a94d8803..c0e686805 100755 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -41,6 +41,11 @@ if [[ $? == 0 ]]; then fi read -rs THEHIVE_PASS +if ! check_password "$THEHIVE_PASS"; then + echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." + exit 2 +fi + # Create new user in TheHive resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}") if [[ "$resp" =~ \"status\":\"Ok\" ]]; then diff --git a/setup/so-functions b/setup/so-functions index 400052d30..aec5fe38a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -371,7 +371,11 @@ collect_webuser_inputs() { WPMATCH=no while [[ $WPMATCH != yes ]]; do - whiptail_create_web_user_password1 + whiptail_create_web_user_password1 + while ! check_password "$WEBPASSWD1"; do + whiptail_invalid_pass_characters_warning + whiptail_create_web_user_password1 + done if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then whiptail_create_web_user_password2 check_web_pass diff --git a/setup/so-whiptail b/setup/so-whiptail index 2996969fa..68716f7e1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -381,6 +381,13 @@ whiptail_invalid_pass_warning() { whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75 } +whiptail_invalid_pass_characters_warning() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75 +} + whiptail_cur_close_days() { [ -n "$TESTING" ] && return From bda90788438c7bb9517e8f0a9f412e81b8cb2cab Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 28 Sep 2020 13:25:23 -0400 Subject: [PATCH 5/6] check for invalid characters in fleet user password --- setup/so-functions | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index aec5fe38a..b910e4ee9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -351,6 +351,10 @@ collect_fleetuser_inputs() { FPMATCH=no while [[ $FPMATCH != yes ]]; do whiptail_create_fleet_node_user_password1 + while ! check_password "$FLEETNODEPASSWD1"; do + whiptail_invalid_pass_characters_warning + whiptail_create_fleet_node_user_password1 + done whiptail_create_fleet_node_user_password2 check_fleet_node_pass done From 3b709e7877187bd4deda66604e2b8e453d1e3a27 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 28 Sep 2020 14:44:14 -0400 Subject: [PATCH 6/6] remove cleaning of webpasswd1 --- setup/so-functions | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b43a80ed0..214d02294 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1153,16 +1153,15 @@ manager_global() { " airgap: False"\ >> "$global_pillar" fi - WEBPASSWD1CLEAN=$(echo $WEBPASSWD1|sed -e "s/'/''/g") # Check if TheHive is enabled. If so, add creds and other details if [[ "$THEHIVE" == "1" ]]; then printf '%s\n'\ " hiveuser: $WEBUSER"\ - " hivepassword: '$WEBPASSWD1CLEAN'"\ + " hivepassword: '$WEBPASSWD1'"\ " hivekey: $HIVEKEY"\ " hiveplaysecret: $HIVEPLAYSECRET"\ " cortexuser: $WEBUSER"\ - " cortexpassword: '$WEBPASSWD1CLEAN'"\ + " cortexpassword: '$WEBPASSWD1'"\ " cortexkey: $CORTEXKEY"\ " cortexorgname: SecurityOnion"\ " cortexorguser: soadmin"\