Sguil & Squert password reset

[Jason Wallace]

How do you reset the password for Sguil & Squert? When I left work
last night the username/password worked and now it isn't working. Not
sure what would cause this.

[Scott Runnels]

Hi Jason,

You can readd a user with: 
sguild-add-user USERNAME PASSWORD

I'm looking into if it's possible (or recommended) to change the password in the securityonion_db.user_info.password but wanted to get you a quick reply so you could get back into sguil and squert. 


v/r
Scott

--
Scott Runnels

[Jason Wallace]

That worked great, thx!

[Doug Burks]

If you'd rather not put your Sguil password into your bash history,
then you can try nsm_server_user-add. It's an interactive wrapper
around sguild-add-user.

Thanks,
Doug

On Fri, Jan 27, 2012 at 10:19 AM, Jason Wallace

<jason.r...@gmail.com> wrote:
> That worked great, thx!
>
> On Fri, Jan 27, 2012 at 10:16 AM, Scott Runnels <srun...@gmail.com> wrote:
>> Hi Jason,
>>
>> You can readd a user with:
>> sguild-add-user USERNAME PASSWORD
>>
>> I'm looking into if it's possible (or recommended) to change the password in
>> the securityonion_db.user_info.password but wanted to get you a quick reply
>> so you could get back into sguil and squert.
>>
>>
>> v/r
>> Scott
>>
>>
>> On Fri, Jan 27, 2012 at 9:10 AM, Jason Wallace <jason.r...@gmail.com>
>> wrote:
>>>
>>> How do you reset the password for Sguil & Squert? When I left work
>>> last night the username/password worked and now it isn't working. Not
>>> sure what would cause this.
>>
>>
>>
>>
>> --
>> Scott Runnels
>>
>>

--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Please vote for Security Onion for 2011 Toolsmith Tool of the Year! |
http://goo.gl/PwTDi

[Liam Randall]

Jason,

You can use "history -c" to clear your history if you're have concerns about leaving your password there.

Liam

[Scott Runnels]

I almost added a note for him to whack the space bar a couple times before entering the command so it wouldn't go to .bash_history *facepalm*

Scott

--
Scott Runnels

[Mark Moore]

I had a question about using the command "sguild-add-user USERNAME PASSWORD" in order to reset a password. Will that just update the current user account or will it add a second account for user?

Thx.

[Doug Burks]

Hi Mark,

If you want to reset a user's Sguil/Squert/ELSA password, you can use
the following command:
sudo nsm_server_user-passwd

http://blog.securityonion.net/2013/08/new-securityonion-packages.html

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks
http://securityonion.net

[Mark Moore]

On Friday, January 27, 2012 9:10:30 AM UTC-5, Wally wrote:

Thx!!

[Mark Moore]

Today, I tried the command nsm_server_user-add and received a successful password change from the cli. However, when the user tries to login to ELSA or Squert, it's not working. Any thoughts?

Thx.

[Doug Burks]

Hi Mark,

Replies inline.

On Fri, Jan 31, 2014 at 1:17 PM, Mark Moore <tornado...@gmail.com> wrote:
> Today, I tried the command nsm_server_user-add and received a successful password change from the cli.

nsm_server_user-add or nsm_server_user-passwd?

> However, when the user tries to login to ELSA or Squert, it's not working. Any thoughts?

Was the password at least 6 characters?

Did the password contain only alphanumeric characters?


--
Doug Burks

[Mark Moore]

What's the command to remove user account from squil/ELSA? Not seeing it in the WIKI.

Thx.

[Doug Burks]

sguild doesn't have an option to delete a user account:

sguild --help
Usage: /usr/bin/sguild [-D] [-h] [-c <filename>] [-P <filename>]
[-O <filename>] [-C <directory]
/usr/bin/sguild [-u <filename] [-adduser <username>]
[-changepasswd <username>]
-c <filename>: PATH to the sguild config (sguild.conf) file.
-a <filename>: PATH to the autocat config (autocat.conf) file.
-g <filename>: PATH to the sguild global queries (sguild.queries) file.
-P <filename>: Name of file to write the PID to.
Default is /var/run/sguild.pid
-l <filepath>: PATH to sguild libraries.
-O <filename>: Define PATH to tls (tcl openssl) lib (libtls1.x.so)
-C <directory>: Directory that contains sguild.pem and sguild.key
-D Runs sguild in daemon mode.
-adduser <username>: Add user to sguild.
-changepasswd <username>: Change user's password.
-A <filename>: PATH to sguild.access file.
-d <0|1|2>: Set DEBUG level
-h Display this help
SGUILD: Exiting...

You could reset the user's password to prevent them from logging in.

OR

You *may* be able to just delete the username via mysql using
something like this:
mysql -uroot -Dsecurityonion_db -e "delete from user_info where
username='USERNAME';"

But I'm not sure if that might cause any unintended consequences.
Perhaps Bamm Visscher can comment.

On Mon, Feb 3, 2014 at 10:46 AM, Mark Moore <tornado...@gmail.com> wrote:
> What's the command to remove user account from squil/ELSA? Not seeing it in the WIKI.
>
> Thx.
>

[Mark Moore]

Maybe this should be a feature added in a later release since we occasionally have people depart our organization and would be nice to have the command for removing an account like you have one for adding.

Thx.

[Doug Burks]

From Bamm:

> It wouldn't be too hard and I am adding it to the todo. I doubt I will
> got the route of "deleting" the user, since it could cause issues with
> alert history/etc. Instead it would do something like set the passwd
> to NULL or mark him/her inactive in the DB.
>
> In the mean time, you could simply do "UPDATE user_info SET
> password=NULL WHERE username="bamm"; in sguildb to disable the user.

On Tue, Feb 4, 2014 at 10:08 AM, Mark Moore <tornado...@gmail.com> wrote:
> Maybe this should be a feature added in a later release since we occasionally have people depart our organization and would be nice to have the command for removing an account like you have one for adding.
>
> Thx.
>