Updates to pwchange scripts (#6)

- Reworked pwchange scripts to recooperate after a failed password change attempt by using a user-seed.conf to reset password
- Converted Windows pwchange script from Batch to Powershell for better flexibility
- Added customization for scripts into inputs.conf so values that are unique to an environment can be leveraged without editing the scripts directly

Author: codingWithJimmy

README.md

@@ -81,13 +81,22 @@ index = _internal
 sourcetype = pw_change:output
 interval = -1
 source = pw_change_output
+splunkUserName = admin
+newPass = auto
+oldPass = changeme
+printPass = false
 
-[script://.\bin\pwchange.bat]
+[powershell://pwchange]
 disabled = 1
 index = _internal
 sourcetype = pw_change:output
 interval = -1
 source = pw_change_output
+script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\pwchange.ps1"
+splunkUserName = admin
+newPass = auto
+oldPass = changeme
+printPass = false
 ```
 
 ## Use-Cases
@@ -136,12 +145,12 @@ https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2
 ~~Windows - `dateTimeCorrect.ps1`\
 \*Nix - `dateTimeCorrect.sh`~~
 
-###### Update default 'changeme' password on Splunk Forwarders (primary installations before 7.1.0)
+###### Update local user password on Splunk Forwarders (primary installations before 7.1.0)
 Forwarders deployed before version 7.1.0 didn't require the admin password be changed upon installation. Starting at 7.1.0, the forwarders required either a user-seed file or manual input of the password during first-time run. While the REST API of the forwarder is not configured to allow POST requests until the password is changed on versions prior to 7.1.0, changing the password is still recommended.
 
-This app contains scripts for Windows and Linux forwarders that will allow either a static password or random password to be configured. By default, a random password is generated and printed into the log which is sent back to Splunk.
+The variables for the environment can be configured in inputs.conf when the app is deployed such as the Splunk username (default 'admin'), whether to automatically generate a random password or to set it explicitly (default 'auto'), the value of the old password (default 'changeme'), and whether or not to send the new password back in plain-text to Splunk (default 'false').
 
-Windows - `pwchange.bat`\
+Windows - `pwchange.ps1`\
 \*Nix - `pwchange.sh`
 
 ## Restarting the Forwarder

README/inputs.conf.spec

@@ -3,13 +3,47 @@
 [script:<uniqueName>]
 deploymentServerUri = [string]
 * Correct URI that should be configured
+* Default value is empty
 
 deploymentClientApp = [string]
 * App name that contains the correct deploymentclient.conf configuration
+* Default value is empty
+
+splunkUserName = [string]
+* Value representing the username configured on the Universal Forwarder
+* Default value is 'admin'
+
+newPass = {auto|string}
+* Value representing either a specified password to be configured or "auto"
+* Default value is 'auto'
+
+oldPass = [string]
+* Value representing the old password configured on the Universal Forwarder
+* Default is 'changeme'
+
+printPass = {true|false}
+* Determines if the new password that is generated will be sent to _internal
+* Default value is 'false''. Change to 'true' to print password into _internal
 
 [powershell:<uniqueName>]
 deploymentServerUri = [string]
 * Correct URI that should be configured with port
 
 deploymentClientApp = [string]
 * App name that contains the correct deploymentclient.conf configuration
+
+splunkUserName = [string]
+* Value representing the username configured on the Universal Forwarder
+* Default value is 'admin'
+
+newPass = {auto|string}
+* Value representing either a specified password to be configured or "auto"
+* Default value is 'auto'
+
+oldPass = [string]
+* Value representing the old password configured on the Universal Forwarder
+* Default is 'changeme'
+
+printPass = {true|false}
+* Determines if the new password that is generated will be sent to _internal
+* Default value is 'false''. Change to 'true' to print password into _internal

bin/appContext.sh

@@ -10,3 +10,11 @@ if [ "${SCRIPT_NAME}" = "dsRemove.sh" ]; then
   CORRECT_DS=$(${SPLUNK_HOME}/bin/splunk btool --app=$APP_NAME inputs list script://./bin/$SCRIPT_NAME | grep deploymentServerUri | sed "s/deploymentServerUri = //")
   CORRECT_APP=$(${SPLUNK_HOME}/bin/splunk btool --app=$APP_NAME inputs list script://./bin/$SCRIPT_NAME | grep deploymentClientApp | sed "s/deploymentClientApp = //")
 fi
+
+## Capture the configuration details for changing the local password
+if [ "${SCRIPT_NAME}" = "pwchange.sh" ]; then
+  SPLUNK_USER=$(${SPLUNK_HOME}/bin/splunk btool --app=$APP_NAME inputs list script://./bin/$SCRIPT_NAME | grep newPass | sed "s/splunkUserName = //")
+  NEWPASS=$(${SPLUNK_HOME}/bin/splunk btool --app=$APP_NAME inputs list script://./bin/$SCRIPT_NAME | grep newPass | sed "s/newPass = //")
+  OLDPASS=$(${SPLUNK_HOME}/bin/splunk btool --app=$APP_NAME inputs list script://./bin/$SCRIPT_NAME | grep oldPass | sed "s/oldPass = //")
+  PRINT_PASS=$(${SPLUNK_HOME}/bin/splunk btool --app=$APP_NAME inputs list script://./bin/$SCRIPT_NAME | grep printPass | sed "s/printPass = //")
+fi

bin/pwchange.bat

@@ -0,0 +1,96 @@
+### Grab variables from inputs.conf
+$BTOOL_INPUT = & $SPLUNKHOME\bin\splunk.exe cmd btool inputs list powershell://pw_change
+$SPLUNK_USER_NAME = ($BTOOL_INPUT | findstr splunkUserName).Split(" ")[2]
+$NEW_PASS_SETTING = ($BTOOL_INPUT | findstr newPass).Split(" ")[2]
+$OLD_PASS_SETTING = ($BTOOL_INPUT | findstr oldPass).Split(" ")[2]
+$PRINT_PASS_SETTING = ($BTOOL_INPUT | findstr printPass).Split(" ")[2]
+
+### Configure file paths for the checkpoint
+$PW_CHANGED = "$SPLUNKHOME\etc\pw_changed"
+$PW_CHECK = (Test-Path -Path "$PW_CHANGED")
+
+### Function for generation of a random password
+Function GeneratePassword
+{
+    $MinimumPasswordLength = 12
+    $MaximumPasswordLength = 16
+    $PasswordLength = Get-Random -InputObject ($MinimumPasswordLength..$MaximumPasswordLength)
+    $AllowedPasswordCharacters = [char[]]'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!?@#£$%^&'
+    $Regex = "(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)"
+
+    do {
+            $Password = ([string]($AllowedPasswordCharacters |
+            Get-Random -Count $PasswordLength) -replace ' ')
+       }    until ($Password -cmatch $Regex)
+
+    $Password
+
+}
+
+### Filter to attach timestamps where necessary
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff zzz') ${env:COMPUTERNAME}: $_"}
+
+### Check to see if there is a pw_changed file under $SPLUNKHOME\etc and bail out if there is
+if ( $PW_CHECK -eq "True" )
+{
+    Write-output "Splunk account password was already changed." | timestamp
+    Exit
+}
+
+### Capture the current password hash to check for a successful change
+$PASS_HASH_GET = Get-ChildItem $SPLUNKHOME\etc\passwd | select-string $SPLUNK_USER_NAME
+$OLD_HASH = ($PASS_HASH_GET -Split {$_ -eq ":"}) | findstr "\$"
+
+### Set random password if newPass is "auto"
+if ( $NEW_PASS_SETTING -eq "auto" )
+{
+    Write-output "Configuring random password..." | timestamp
+    $NEWPASS = (GeneratePassword)
+    $OLDPASS = $OLD_PASS_SETTING
+    if ( $PRINT_PASS_SETTING -eq "true" -or $PRINT_PASS_SETTING -eq "1" )
+    {
+        Write-output "New password: ${NEWPASS}" | timestamp
+    }
+    & ${SPLUNKHOME}\bin\splunk edit user ${SPLUNK_USER_NAME} -password ${NEWPASS} -auth ${SPLUNK_USER_NAME}:${OLDPASS} 2>$null
+    $NEW_HASH_GET = Get-ChildItem $SPLUNKHOME\etc\passwd | select-string $SPLUNK_USER_NAME
+    $NEW_HASH = ($NEW_HASH_GET -Split {$_ -eq ":"}) | findstr "\$"
+    if ( $NEW_HASH -ne $OLD_HASH ) {
+        Write-output "Password changed." | timestamp
+        Out-File -FilePath "$PW_CHANGED"
+    } else {
+        Write-output "Password change failed. Creating user-seed.conf." | timestamp
+        Rename-Item -Path $SPLUNKHOME\etc\passwd -NewName $SPLUNKHOME\etc\passwd.bak
+        "[user_info]" | Out-File -FilePath $SPLUNKHOME\etc\system\local\user-seed.conf
+        "USERNAME = ${SPLUNK_USER_NAME}" | Out-File -FilePath $SPLUNKHOME\etc\system\local\user-seed.conf -Append
+        "PASSWORD = ${NEWPASS}" | Out-File -FilePath $SPLUNKHOME\etc\system\local\user-seed.conf -Append
+        Out-File -FilePath "$PW_CHANGED"
+    }
+}
+
+### Set configured password if newPass is not "auto"
+if ( $NEW_PASS_SETTING -ne "auto" )
+{
+    Write-output "Configuring specific password..." | timestamp
+    $NEWPASS = $NEW_PASS_SETTING
+    $OLDPASS = $OLD_PASS_SETTING
+    if ( $PRINT_PASS_SETTING -eq "true" -or $PRINT_PASS_SETTING -eq "1" )
+    {
+        Write-output "New password: '$NEWPASS'" | timestamp
+    }
+    & ${SPLUNKHOME}\bin\splunk edit user ${SPLUNK_USER_NAME} -password ${NEWPASS} -auth ${SPLUNK_USER_NAME}:${OLDPASS} | Out-Null
+    $NEW_HASH_GET = Get-ChildItem $SPLUNKHOME\etc\passwd | select-string $SPLUNK_USER_NAME
+    $NEW_HASH = $NEW_HASH_GET -Split {$_ -eq ":"} | findstr "\$"
+
+    if ( $NEW_HASH -ne $OLD_HASH )
+    {
+        Write-output "Password changed." | timestamp
+        Out-File -FilePath "$PW_CHANGED"
+    } else {
+        Write-output "Password change failed. Creating user-seed.conf." | timestamp
+        Rename-Item -Path $SPLUNKHOME\etc\passwd -NewName $SPLUNKHOME\etc\passwd.bak
+        "[user_info]" | Out-File -FilePath "$SPLUNKHOME\etc\system\local\user-seed.conf"
+        "USERNAME = $SPLUNK_USER_NAME" | Out-File -FilePath "$SPLUNKHOME\etc\system\local\user-seed.conf" -Append
+        "PASSWORD = $NEWPASS" | Out-File -FilePath "$SPLUNKHOME\etc\system\local\user-seed.conf" -Append
+        Out-File -FilePath "$PW_CHANGED"
+    }
+}

bin/pwchange.ps1

@@ -1,35 +1,43 @@
 #!/bin/bash
-# Define the original and new passwords here. To have a password automatically generated, set NEWPASS to 'auto'
-OLDPASS=changeme
-NEWPASS=auto
-
-# Configure if the random password generated should be printed into the output that is sent back to Splunk. Default is "0" which means it's NOT printed. Change to "1" to print.
-PRINT_PASS=0
+## Run appContext to capture details from inputs stanza
+. $(dirname $0)/appContext.sh
 
 # Look for the checkpoint file and error out if it exists
-if [ -f $SPLUNK_HOME/etc/pwd_changed ]
-then
-        echo $(date -R) $HOSTNAME: Splunk account password was already changed.
-        exit
+if [ -f $SPLUNK_HOME/etc/pwd_changed ]; then
+  echo $(date -R) $HOSTNAME: Splunk account password was already changed.
+  exit
 fi
 
-if [ "$NEWPASS" = "auto" ]
-then
+# Generate a random password if newPass is set to "auto" in inputs.conf
+if [ "$NEWPASS" = "auto" ]; then
 	NEWPASS=$(head -c 500 /dev/urandom | sha256sum | base64 | head -c 16 ; echo)
-	if [ "$PRINT_PASS" = "0" ]; then
-		NEWPASSAUTO=$(echo "Automatic password: $NEWPASS")
-	else
-		NEWPASSAUTO=$(echo "Automatic password: **************")
-	fi
 fi
+if [ "$PRINT_PASS" = "1" ] || [ "$PRINT_PASS" = "true" ]; then
+  echo "$(date -R) $HOSTNAME: New password: $NEWPASS"
+fi
+
+# Capture current user password hash
+OLD_PASS_HASH=$(cat $SPLUNK_HOME/etc/passwd | grep $SPLUNK_USER | sed "s/:/ /g" | awk '{ print $2 }')
 
-# Change the password
-$SPLUNK_HOME/bin/splunk edit user admin -password $NEWPASS -auth admin:$OLDPASS > /dev/null 2>&1
+# Attempt to change the password with the provided password in inputs.conf
+$SPLUNK_HOME/bin/splunk edit user $SPLUNK_USER -password $NEWPASS -auth $SPLUNK_USER:$OLDPASS > /dev/null 2>&1
 
-# Check splunkd.log for any error messages relating to login during the script and determine whether the change was successful or not
-CHANGED=$(tail -n 10 $SPLUNK_HOME/var/log/splunk/splunkd.log | grep pwchange | grep Login)
-if [ -z "$CHANGED" ]; then
+# Capture the user password hash to see if it changed
+NEW_PASS_HASH=$(cat $SPLUNK_HOME/etc/passwd | grep $SPLUNK_USER | sed "s/:/ /g" | awk '{ print $2 }')
+
+# Compare the old user hash to the new user hash and generate a user-seed.file if they still match
+if [ "$OLD_PASS_HASH" != "$NEW_PASS_HASH" ]; then
 	echo "$(date -R) $HOSTNAME: Splunk account password successfully changed. $NEWPASSAUTO"
+  touch $SPLUNK_HOME/etc/pwd_changed
 else
-	echo $(date -R) $HOSTNAME: Splunk account login failed. Old password is not correct for this host.
+	echo $(date -R) $HOSTNAME: Password change failed. Creating user-seed.conf.
+  mv "$SPLUNK_HOME/etc/passwd" "$SPLUNK_HOME/etc/password.backup."
+  cat <<<EOF "$SPLUNK_HOME/etc/system/local/user-seed.conf"
+  [user-info]
+  USERNAME = $SPLUNK_USER
+  PASSWORD = $NEWPASS
+
+  EOF
+  touch $SPLUNK_HOME/etc/pwd_changed
+  rm $APP_PATH/bin/DeleteMeToRestart
 fi

bin/pwchange.sh

@@ -9,4 +9,4 @@ is_visible = false
 is_manageable = false
 
 [launcher]
-version = 2.0.0
+version = 2.1.0

default/app.conf

@@ -70,10 +70,19 @@ index = _internal
 sourcetype = pw_change:output
 interval = -1
 source = pw_change_output
+splunkUserName = admin
+newPass = auto
+oldPass = changeme
+printPass = false
 
-[script://.\bin\pwchange.bat]
+[powershell://pwchange]
 disabled = 1
 index = _internal
 sourcetype = pw_change:output
 interval = -1
 source = pw_change_output
+script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\pwchange.ps1"
+splunkUserName = admin
+newPass = auto
+oldPass = changeme
+printPass = false