SFTP upload broken due to dollar sign(s) in openssl-encrypted password #110
Assignees
Comments
mmguero
added
bug
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Aug 1, 2022
…-encrypted password
|
Fixed for v6.2.0 |
This was referenced Aug 3, 2022
Merged
mmguero
added a commit
that referenced
this issue
Aug 3, 2022
merge v6.2.0 development into main
* Improvements
- #109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
+ give option to disable capture interface hardware offloading and adjust ring buffer sizes for standalone Malcolm capture
+ Zeek and Suricata images are now configured to not drop privileges at init (in order to be able to set permissions for network capture), but supervisord will drop privileges for all of its child processes before they execute to maintain security posture
+ include headers needed to build Zeek af_packet plugin in Zeek docker container
+ updated README to describe methods for capturing local traffic with standalone Malcolm
+ same images will be used for `zeek` and `zeek-live` containers, as well as for `suricata` and `suricata-live` containers, respectively
+ use the same scripts `zeekdeploy.sh` to configure and run Zeek on both Hedgehog and in the Malcolm `zeek` docker images
+ prevent "live" and "non-live" Zeek containers from both trying to update intel indicators at the same time
- Speed up build time by getting official Debian suricata packages from backports rather than building from source
- Added Suricata rule update cron jobs
- Added documentation (in the form of comments) to all docker-compose file variables
* Bugs
- Fix #107: expand action/result meaning in DNP3 (and other?) dashboards
- Clean up some `Nul` values that could appear in Zeek logs
- improve mapping of BACnet actions
- Fix #108: export PCAP not working from Arkime sessions without "Arkime Sessions"
- Fix #110: SFTP upload broken due to dollar sign(s) in openssl-encrypted password
+ prompt in `install.py --configure` whether or not to expose this port to external hosts
- Fix an issue that could prevent some zeek logs from being parsed correctly if they contained non-ASCII charactters
mmguero
added a commit
to cisagov/Malcolm
that referenced
this issue
Aug 3, 2022
merge v6.2.0 into main
* Improvements
- idaholab#109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
+ give option to disable capture interface hardware offloading and adjust ring buffer sizes for standalone Malcolm capture
+ Zeek and Suricata images are now configured to not drop privileges at init (in order to be able to set permissions for network capture), but supervisord will drop privileges for all of its child processes before they execute to maintain security posture
+ include headers needed to build Zeek af_packet plugin in Zeek docker container
+ updated README to describe methods for capturing local traffic with standalone Malcolm
+ same images will be used for `zeek` and `zeek-live` containers, as well as for `suricata` and `suricata-live` containers, respectively
+ use the same scripts `zeekdeploy.sh` to configure and run Zeek on both Hedgehog and in the Malcolm `zeek` docker images
+ prevent "live" and "non-live" Zeek containers from both trying to update intel indicators at the same time
- Speed up build time by getting official Debian suricata packages from backports rather than building from source
- Added Suricata rule update cron jobs
- Added documentation (in the form of comments) to all docker-compose file variables
* Bugs
- Fix idaholab#107: expand action/result meaning in DNP3 (and other?) dashboards
- Clean up some `Nul` values that could appear in Zeek logs
- improve mapping of BACnet actions
- Fix idaholab#108: export PCAP not working from Arkime sessions without "Arkime Sessions"
- Fix idaholab#110: SFTP upload broken due to dollar sign(s) in openssl-encrypted password
+ prompt in `install.py --configure` whether or not to expose this port to external hosts
- Fix an issue that could prevent some zeek logs from being parsed correctly if they contained non-ASCII charactters
This was referenced Sep 7, 2022
mmguero
added a commit
that referenced
this issue
Sep 7, 2022
* New Features
* Support remote OpenSearch instance/cluster as alternative to local containerized instance (#110)
* Documentation and convenience scripts for configuring ingestion of third-party logs, and basic parsing/normalizing of Fluent-Bit's Windows event logs
* S7comm Plus support and replaced Amazon S7comm parser with icsnpp-s7comm (#99)
* Version Bumps
* OpenSearch and OpenSearch Dashboards to v2.2.1
* Zeek to v5.0.1
* Spicy to v1.5.1
* spicy-plugin to v1.3.17
* YARA to v4.2.3
* Capa to v4.0.1
* Improvements
* Major improvements to OPC UA Binary parser and supporting dashboards
* Ensure that all containers are provided the same information about trusted CA certificates
* changed list of "sensitive countries" to match U.S. Department of Energy Sensitive Country List
* Increased maximum fields from 3,000 to 5,000
* Standardized configuration and authentication for primary and secondary remote OpenSearch instances, and make sure that index templates are created on secondary remote OpenSearch instances
* Expand and fix normalization of [network.direction](https://www.elastic.co/guide/en/ecs/current/ecs-network.html#field-network-direction) in lieu of using tags
* Various tweaks and improvements to the `install.py` script for enabling/disabling some features
* Bugs Fixed
* fields could be missing in Arkime due to a large number of concurrent requests (#115)
* mapper_parsing_exception, TCP flag parsing problem (cisagov#214)
mmguero
added a commit
to cisagov/Malcolm
that referenced
this issue
Sep 7, 2022
* New Features
* Support remote OpenSearch instance/cluster as alternative to local containerized instance (idaholab#110)
* Documentation and convenience scripts for configuring ingestion of third-party logs, and basic parsing/normalizing of Fluent-Bit's Windows event logs
* S7comm Plus support and replaced Amazon S7comm parser with icsnpp-s7comm (idaholab#99)
* Version Bumps
* OpenSearch and OpenSearch Dashboards to v2.2.1
* Zeek to v5.0.1
* Spicy to v1.5.1
* spicy-plugin to v1.3.17
* YARA to v4.2.3
* Capa to v4.0.1
* Improvements
* Major improvements to OPC UA Binary parser and supporting dashboards
* Ensure that all containers are provided the same information about trusted CA certificates
* changed list of "sensitive countries" to match U.S. Department of Energy Sensitive Country List
* Increased maximum fields from 3,000 to 5,000
* Standardized configuration and authentication for primary and secondary remote OpenSearch instances, and make sure that index templates are created on secondary remote OpenSearch instances
* Expand and fix normalization of [network.direction](https://www.elastic.co/guide/en/ecs/current/ecs-network.html#field-network-direction) in lieu of using tags
* Various tweaks and improvements to the `install.py` script for enabling/disabling some features
* Bugs Fixed
* fields could be missing in Arkime due to a large number of concurrent requests (idaholab#115)
* mapper_parsing_exception, TCP flag parsing problem (#214)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I just discovered an issue with the way docker interprets environment variables passed in from .env files.
For the SFTP PCAP upload, the
file-upload/docker-entrypoint.shscript sets the user for the sftp upload using theMALCOLM_USERNAMEandMALCOLM_PASSWORDenvironment variables.However, openssl generates an encrypted password that looks something like
$1$o74qn1nt$PRB/XhSybr4k98Y7Fqy9l/. This environment variable doesn't come across "cleanly" to theuploadservice container, so the SFTP login fails.To fix this, the
auth_setupscript (control.py) is going to base64-encode the value of this environment variable, then the entrypoint for the upload container will decode it.The text was updated successfully, but these errors were encountered: