CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable MFA support

Browse Source
This commit is contained in:
Jason Ertel
2022-02-15 07:49:12 -05:00
parent c5d6f09320
commit d97423e9f8
4 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
salt/common/tools/sbin/so-user
View File

@@ -147,7 +147,10 @@ function updatePassword() {
# Generate password hash # Generate password hash
passwordHash=$(hashPassword "$password") passwordHash=$(hashPassword "$password")
# Update DB with new hash # Update DB with new hash
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}';" | sqlite3 "$databasePath" echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 "$databasePath"
# Deactivate MFA
echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 "$databasePath"
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 "$databasePath"
[[ $? != 0 ]] && fail "Unable to update password" [[ $? != 0 ]] && fail "Unable to update password"
fi fi
} }
@@ -244,10 +247,12 @@ function syncElastic() {
if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then
# Append the SOC users # Append the SOC users
echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \ echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
"from identity_credential_identifiers ici, identity_credentials ic, identities i " \ "from identity_credential_identifiers ici, identity_credentials ic, identities i, identity_credential_types ict " \
"where " \ "where " \
" ici.identity_credential_id=ic.id " \ " ici.identity_credential_id=ic.id " \
" and ic.identity_id=i.id " \ " and ic.identity_id=i.id " \
" and ict.id=ic.identity_credential_type_id " \
" and ict.name='password' " \
" and instr(ic.config, 'hashed_password') " \ " and instr(ic.config, 'hashed_password') " \
" and i.state == 'active' " \ " and i.state == 'active' " \
"order by ici.identifier;" | \ "order by ici.identifier;" | \
@@ -261,8 +266,11 @@ function syncElastic() {
userId=$(echo "$rolePair" | cut -d: -f2) userId=$(echo "$rolePair" | cut -d: -f2)
role=$(echo "$rolePair" | cut -d: -f1) role=$(echo "$rolePair" | cut -d: -f1)
echo "select '$role:' || ici.identifier " \ echo "select '$role:' || ici.identifier " \
"from identity_credential_identifiers ici, identity_credentials ic " \ "from identity_credential_identifiers ici, identity_credentials ic, identity_credential_types ict " \
"where ici.identity_credential_id=ic.id and ic.identity_id = '$userId';" | \ "where ici.identity_credential_id=ic.id " \
" and ict.id=ic.identity_credential_type_id " \
" and ict.name='password' " \
" and ic.identity_id = '$userId';" | \
sqlite3 "$databasePath" >> "$rolesTmpFile" sqlite3 "$databasePath" >> "$rolesTmpFile"
done < "$socRolesFile" done < "$socRolesFile"

8
salt/kratos/files/kratos.yaml
View File

@@ -1,9 +1,12 @@
{%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%} {%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%}
{%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%} {%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%}
{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', 'Security Onion') -%}
session: session:
lifespan: {{ SESSIONTIMEOUT }} lifespan: {{ SESSIONTIMEOUT }}
whoami:
required_aal: highest_available
selfservice: selfservice:
methods: methods:
@@ -11,10 +14,15 @@ selfservice:
enabled: true enabled: true
config: config:
haveibeenpwned_enabled: false haveibeenpwned_enabled: false
totp:
enabled: true
config:
issuer: {{ MFA_ISSUER }}
flows: flows:
settings: settings:
ui_url: https://{{ WEBACCESS }}/?r=/settings ui_url: https://{{ WEBACCESS }}/?r=/settings
required_aal: highest_available
verification: verification:
ui_url: https://{{ WEBACCESS }}/ ui_url: https://{{ WEBACCESS }}/

3
salt/kratos/files/schema.json
View File

@@ -17,6 +17,9 @@
"credentials": { "credentials": {
"password": { "password": {
"identifier": true "identifier": true
},
"totp": {
"account_name": true
} }
}, },
"verification": { "verification": {

6
salt/nginx/etc/nginx.conf
View File

@@ -399,12 +399,18 @@ http {
} }
error_page 401 = @error401; error_page 401 = @error401;
error_page 403 = @error403;
location @error401 { location @error401 {
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
return 302 /auth/self-service/login/browser; return 302 /auth/self-service/login/browser;
} }
location @error403 {
add_header Set-Cookie "ory_kratos_session=;Path=/;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT;";
return 302 /auth/self-service/login/browser;
}
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
location = /usr/share/nginx/html/50x.html { location = /usr/share/nginx/html/50x.html {
} }