From b6c361f83df75b242c3de293243f6f08ae42bbc0 Mon Sep 17 00:00:00 2001 From: HE Chong Date: Fri, 6 Aug 2021 23:08:59 +0800 Subject: [PATCH 1/4] add user password update script for The Hive --- salt/common/tools/sbin/so-thehive-user-update | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100755 salt/common/tools/sbin/so-thehive-user-update diff --git a/salt/common/tools/sbin/so-thehive-user-update b/salt/common/tools/sbin/so-thehive-user-update new file mode 100755 index 000000000..7378d0934 --- /dev/null +++ b/salt/common/tools/sbin/so-thehive-user-update @@ -0,0 +1,57 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +usage() { + echo "Usage: $0 " + echo "" + echo "Update password for an existing TheHive user. The new password will be read from STDIN." + exit 1 +} + +if [ $# -ne 1 ]; then + usage +fi + +USER=$1 + +THEHIVE_KEY=$(lookup_pillar hivekey) +THEHVIE_API_URL="$(lookup_pillar url_base)/thehive/api" +THEHIVE_USER=$USER + +# Read password for new user from stdin +test -t 0 +if [[ $? == 0 ]]; then + echo "Enter new password:" +fi +read -rs THEHIVE_PASS + +if ! check_password "$THEHIVE_PASS"; then + echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." + exit 2 +fi + +# Change password for user in TheHive +resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHVIE_API_URL/user/${THEHIVE_USER}/password/set" -d "{\"password\" : \"$THEHIVE_PASS\"}") +if [[ -z "$resp" ]]; then + echo "Successfully changed TheHive user password" +else + echo "Changing TheHive user password failed" + echo $resp + exit 2 +fi From 2030ef65f100e254611299bd81cf02cdc82360dd Mon Sep 17 00:00:00 2001 From: HE Chong Date: Fri, 13 Aug 2021 21:50:24 +0800 Subject: [PATCH 2/4] add user password update script for Fleet --- salt/common/tools/sbin/so-fleet-user-update | 64 +++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100755 salt/common/tools/sbin/so-fleet-user-update diff --git a/salt/common/tools/sbin/so-fleet-user-update b/salt/common/tools/sbin/so-fleet-user-update new file mode 100755 index 000000000..7d266ff2f --- /dev/null +++ b/salt/common/tools/sbin/so-fleet-user-update @@ -0,0 +1,64 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +usage() { + echo "Usage: $0 " + echo "" + echo "Update password for an existing Fleet user. The new password will be read from STDIN." + exit 1 +} + +if [ $# -ne 1 ]; then + usage +fi + +USER=$1 + +MYSQL_PASS=$(lookup_pillar_secret mysql) +FLEET_IP=$(lookup_pillar fleet_ip) +FLEET_USER=$USER + +# Read password for new user from stdin +test -t 0 +if [[ $? == 0 ]]; then + echo "Enter new password:" +fi +read -rs FLEET_PASS + +if ! check_password "$FLEET_PASS"; then + echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." + exit 2 +fi + +FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1) +if [[ $? -ne 0 ]]; then + echo "Failed to generate Fleet password hash" + exit 2 +fi + +MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \ + "UPDATE users SET password='$FLEET_HASH', salt='' where username='$FLEET_USER'" 2>&1) + +if [[ $? -eq 0 ]]; then + echo "Successfully updated Fleet user password" +else + echo "Unable to update Fleet user password" + echo "$MYSQL_OUTPUT" + exit 2 +fi From 0d5e3771f55ec8436024a3c33e68cfd0831ecd88 Mon Sep 17 00:00:00 2001 From: HE Chong Date: Fri, 13 Aug 2021 21:52:19 +0800 Subject: [PATCH 3/4] modify user password update script for theHive, keep it in consistency with Fleet counterpart. --- salt/common/tools/sbin/so-thehive-user-update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-thehive-user-update b/salt/common/tools/sbin/so-thehive-user-update index 7378d0934..6df199f6a 100755 --- a/salt/common/tools/sbin/so-thehive-user-update +++ b/salt/common/tools/sbin/so-thehive-user-update @@ -49,9 +49,9 @@ fi # Change password for user in TheHive resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -L "https://$THEHVIE_API_URL/user/${THEHIVE_USER}/password/set" -d "{\"password\" : \"$THEHIVE_PASS\"}") if [[ -z "$resp" ]]; then - echo "Successfully changed TheHive user password" + echo "Successfully updated TheHive user password" else - echo "Changing TheHive user password failed" + echo "Unable to update TheHive user password" echo $resp exit 2 fi From 81ccce865981064abf042ecf2593d9e1bc813ddb Mon Sep 17 00:00:00 2001 From: HE Chong Date: Fri, 13 Aug 2021 23:00:11 +0800 Subject: [PATCH 4/4] negative case where username doesn't exist now report exception as expected --- salt/common/tools/sbin/so-fleet-user-update | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/common/tools/sbin/so-fleet-user-update b/salt/common/tools/sbin/so-fleet-user-update index 7d266ff2f..e6a142d1d 100755 --- a/salt/common/tools/sbin/so-fleet-user-update +++ b/salt/common/tools/sbin/so-fleet-user-update @@ -34,6 +34,16 @@ MYSQL_PASS=$(lookup_pillar_secret mysql) FLEET_IP=$(lookup_pillar fleet_ip) FLEET_USER=$USER +# test existence of user +MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \ + "SELECT count(1) FROM users WHERE username='$FLEET_USER'" 2>/dev/null | tail -1) +if [[ $? -ne 0 ]] || [[ $MYSQL_OUTPUT -ne 1 ]] ; then + echo "Test for username [${FLEET_USER}] failed" + echo " expect 1 hit in users database, return $MYSQL_OUTPUT hit(s)." + echo "Unable to update Fleet user password." + exit 2 +fi + # Read password for new user from stdin test -t 0 if [[ $? == 0 ]]; then @@ -52,6 +62,7 @@ if [[ $? -ne 0 ]]; then exit 2 fi + MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \ "UPDATE users SET password='$FLEET_HASH', salt='' where username='$FLEET_USER'" 2>&1)