Updates to pwchange.bat and pwchange.sh

codingWithJimmy · codingWithJimmy · commit 122ba4036b01 · 2020-01-16T16:48:10.000-05:00
Updated password change scripts to not print the automatically-generated password by default.
diff --git a/bin/pwchange.bat b/bin/pwchange.bat
@@ -3,6 +3,9 @@ REM Define the original and new passwords here. To use automatic password genera
 SET OLDPASS=changeme
 SET NEWPASS=auto
 
+REM Configure if the random password generated should be printed into the output that is sent back to Splunk. Default is "0" which means it's NOT printed. Change to "1" to print.
+SET PRINT_PASS=0
+
 REM Settings for automatic password generation. Not used if NEWPASS is not set to 'auto'
 Setlocal EnableDelayedExpansion
 SET _RNDLength=16
@@ -58,7 +61,11 @@ IF NOT "%LOGIN%"=="Failed" (
 REM Create the checkpoint file and log success. This will print the password in the log message passed back to Splunk.
 :AUTOSUCCESS
 echo %date% %time% %HOST%: Splunk account password successfully changed. > "%CHECKPOINT%"
+IF NOT "%PRINT_PASS%"=="0" (
 echo %date% %time% %HOST%: Splunk account password successfully changed. Automatic password: %NEWPASS%
+) ELSE (
+echo "%date% %time% %HOST%: Splunk account password successfully changed. Automatic password: **********"
+)
 exit
 
 REM Create the checkpoint file and log success.
diff --git a/bin/pwchange.sh b/bin/pwchange.sh
@@ -3,6 +3,9 @@
 OLDPASS=changeme
 NEWPASS=auto
 
+# Configure if the random password generated should be printed into the output that is sent back to Splunk. Default is "0" which means it's NOT printed. Change to "1" to print.
+PRINT_PASS=0
+
 # Look for the checkpoint file and error out if it exists
 if [ -f $SPLUNK_HOME/etc/pwd_changed ]
 then
@@ -13,18 +16,20 @@ fi
 if [ "$NEWPASS" = "auto" ]
 then
 	NEWPASS=$(head -c 500 /dev/urandom | sha256sum | base64 | head -c 16 ; echo)
-	NEWPASSAUTO=$(echo Automatic password: $NEWPASS)
+	if [ "$PRINT_PASS" = "0" ]; then
+		NEWPASSAUTO=$(echo "Automatic password: $NEWPASS")
+	else
+		NEWPASSAUTO=$(echo "Automatic password: **************")
+	fi
 fi
 
 # Change the password
 $SPLUNK_HOME/bin/splunk edit user admin -password $NEWPASS -auth admin:$OLDPASS > /dev/null 2>&1
 
 # Check splunkd.log for any error messages relating to login during the script and determine whether the change was successful or not
 CHANGED=$(tail -n 10 $SPLUNK_HOME/var/log/splunk/splunkd.log | grep pwchange | grep Login)
-if [ -z "$CHANGED" ]
-then
-	echo $(date -R) $HOSTNAME: Splunk account password successfully changed. $NEWPASSAUTO
-	echo $(date -R) $HOSTNAME: Splunk account password successfully changed. > $SPLUNK_HOME/etc/pwd_changed
+if [ -z "$CHANGED" ]; then
+	echo "$(date -R) $HOSTNAME: Splunk account password successfully changed. $NEWPASSAUTO"
 else
 	echo $(date -R) $HOSTNAME: Splunk account login failed. Old password is not correct for this host.
 fi
