Jump to content

Azkabahn

Members
  • Content Count

    153
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by Azkabahn

  1. Thanks for this workaround. We have been looking too far for such issue Also, it would be great if you will consider this to add as a feature request.
  2. Hello, This is why we asked for option to select which script to use. This option would let us use modified script that suits our needs. Anyway, thank you for your help. We'll be waiting for your reply.
  3. Probably because it is not widely used for *NIX. Main issue is in logic when changing password for root with privileged account: #If we are using a Privileged Account credential to reset the root account (because you are not allows to SSH in with root), then the reset command needs to pass the old password value for root instead. #This would only be required if the Sudoers file has been modified with following command - Defaults:<username> rootpw, where Username is the Privileged Account Credential being used to reset the root account. if ($UserName -eq 'root') { $ResetCmd = "echo -e $'$OldPassword\n$NewPassword\n$NewPassword' | sudo -S passwd $UserName" } else { $ResetCmd = "echo -e $'$PrivilegedAccountPassword\n$NewPassword\n$NewPassword' | sudo -S passwd $UserName" } As you can see it will "drop in" first if statement, because user is root (however who's password has to be changed, not account that is used to connect) So in this statement it will do "sudo" and provide "old password" (root) and sudo on Linux is not expecting this, it is asking for privileged user password (it has sudo rights, but it needs his password) Basically it would work if it would be in "else" clause, or first "if" would have "$ResetCmd = "echo -e $'$PrivilegedAccountPassword\n$NewPassword\n$NewPassword' | sudo -S passwd $UserName"" You do not need old password of root if you have privileged account that is allowed to sudo Regards, Algirdas
  4. I see. Would you mind sharing what is the reason for not allowing to pre-select reset script? I will get back with the details why the inbuilt script did not work.
  5. HI, it's a bit confusing, but let me start from scratch: I add Linux host via PasswordState API As an account discovery job, I select "Linux and Mac Accounts Discovery Job" I configure that job to discover only "root" account I run the script and it successfully adds the record into "Linux Account" password list. In "Password Reset Scripts" section I have added my own script with the name "Change root pass Linux" Now, the issue is that I have a record in my PasswordList, but the assigned password reset script is not my own script. Where and how I could automatically assign that? I know it's possible to update that using bulk update functionality, but perhaps there is an automatic way for that.
  6. Hi, i have figured it out. Our own script automatically will add hosts to PasswordState via API. Another questions, I have successfully added several hosts, account discovery works fine as well. Now, is there a way to assign a default password reset script instead of clicking on each discovered account and selecting which script to use?
  7. Hi, i am using discovery job for windows machines which are joined to AD. Now, I want to use discovery job for linux machines as well. The issue is that linux servers are not joined in the domain, although they use AD authentication. What would be the workarounds or suggestion how to import and update regularly hosts in passwordstate.
  8. Hi, no need for testing. Any website will do for that. My idea behind was exactly that PasswordState takes care of that. PasswordState already knows the website, my username, and password. So If I click to save it, it could notify that there is a duplicate or similar record and asks user if he wants to update the record.
  9. Hi, I would like to propose a feature request for the browser plugin. I wouldn't call it an issue, but for some people, it's a bit confusing and creates a little bit of mess. I will try to describe the scenario that I am proposing: I have a password list prepared for saving credentials to the websites There is already a record created for "example.com" with username "test01" I log in to example.com and change my current password to new one Log out of website I try to login with user "test01" and new password PasswordState browser plugin pops up, I click save password On the screen, I select the password list where it has a record for "example.com" Now, instead of creating a new record would it be possible to update existing record? So, would it be possible to consider point #8 as a feature request?
  10. Sorry, I do have SQL Transactional Replication in production, but haven't tested it yet. It's quite sensitive for such testing In the development environment, I have primary and ha instance, but they both using the same backend. Probably then it explains why it happens. So in production according to your description should be fine.
  11. Hi, I am having some difficulties trying to work out the version upgrade workflow. My setup is "similar" to what is proposed in "High_Availability_Installation_Instructions.pdf". With load balancers in front, i can redirect users to HA instance (read-only) when the primary instance is in maintenance mode and I am about to do an upgrade. The issue is that when I enable maintenance mode it's being set in the HA instance as well. Is there a way to leave HA instance active while the upgrade is in process?
  12. Well in my case, we have done several integration with continuous deployment tools and it generates a huge amount of logs. PasswordState doesn't perform well when it has millions of records in the audit table. On the other hand, we have requirements in place to keep the logs of all actions being done. With ELK/Splunk you could very easily build dashboards for various metrics etc. not to mention use it for logs offloading
  13. I will jump ahead and drop this one I have been looking around into this topic for some time already. In our organization, we use ELK stack to a quite a significant extent. I do have a free version of Splunk, but I haven't tried to point the logs there. The problem of using syslog protocol is that the data is not structured therefore difficult to write filters for it. Best option, for now, is to use something like that https://qbox.io/blog/migrating-mysql-data-into-elasticsearch-using-logstash
  14. Hi, i see more and more requests internally that it would be very helpful if the option on the password list level " Hide Passwords from Non-Admin users, and disable copy-to-clipboard feature" could include users with modify rights. So basically users with admin and modify rights can view the password values.
  15. Hi Buckit, do you process the audit logs in the external box? Or you just simply offload all the logs and do not care?
  16. What Buckit is saying is very true as well in some cases. This kind of logging would make life a bit easier for security admins to do an investigation. In some cases, the users complain that something is wrong after quite some time and it's really difficult to trace back and figure it out what has been changed. The only option is to restore the backup to test instance and do the comparison :)
  17. Hi, we have faced with some troubles trying to understand what exact changes were made in the password list properties. Would it be possible to get a bit verbose output of what has changed in the properties of password list? As an example: if users updates IP whitelisting it would be great that this would be indicated If the user has renamed the list the line could include something like "password list X renamed to Y". If user enabled/disabled some of the options in the password list properties that would be good to know as well. All of this info can be retrieved from the user, but it takes time to question the user and sometimes they don't even remember what changes they have done
  18. Hi, regarding the file transfer - it doesn't have to continue. I see it almost similar to the backup procedure. You click "transfer" and it sends all the files to HA, if you don't want to do that you transfer the files on your own.
  19. Another great feature would be get such logs in JSON format
  20. Hi, i would like to start this thread to get some insights if any of the other customers are using external syslog server to ship the logs from PasswordState. I am using ELK stack. Currently i am trying to create custom filters in Kibana to filter out the logs from PasswordState. I have the question, does the PasswordState always include "Passwordstate" value in the logs that are being sent to syslog server? host:X.X.X.X @timestamp:September 12th 2017, 17:17:29.728 @version:1 message:<110>2017-09-12 16:15:52 X.X.X.X Passwordstate: Failed 'Forms Based' login attempt for UserID 'n.lastname' from the IP Address 'X.X.X.X'. Client IP Address = X.X.X.X _id:AV_aAXYurEipAt82YaPZ _type:logs _index:%{type}-2017.11.20 _score: - Feature Request - it would be great to have support for TCP ports
  21. Hi, well, it's not an issue per se. Let me start by saying that I cannot think of any logical reason why primary and HA instances should be in different versions there is preprod, dev environments for that. Having that in mind, the copying of files across the servers is just annoying and it just asks itself to be fully automated. I don't see how different is this from setting up the account for backup. When the admin is setting up an account to perform backups he might as well add additional access for it to access the HA instance. Regarding the Transactional Replication, what we have done is that we have 5 SQL procedures that are fully automated and takes care of removing replica and then bringing it up again.
  22. Hi, do you plan on having a bit smoother HA instance upgrade workflow? At the moment all this file moving and copying things across the servers takes too much effort comparing to the number of releases you produce. On contrary, I am happy with your fast delivery and fixes
  23. Hi, do you plan to add an option to change the logo in the PasswordState Password Reset portal? Or some additional branding options?
  24. Great! Do you have a therotical estimate on this feature?
×
×
  • Create New...