so-user-add not working

Abhas Bhatt

unread,

Aug 27, 2019, 2:16:03 PM8/27/19

to security-onion

Hello,

I am trying to add a new SSO account and using so-user-add from the documentation here: https://securityonion.readthedocs.io/en/latest/adding-accounts.html#sso

Everything seems to run successfully but when I do so-user-list, I do not see the user being added. Any thoughts/suggestions.

# so-user-add

User Name

Enter the name of the new user that will be granted privilege to connect to Sguil/Squert/Kibana: user_xxxx

User Pass

Enter the password for the new user that will be granted privilege to connect to this server:

Verify:

Add User to Server

The following information has been collected:

user: user_xxxx

Do you want to create? (Y/N) [Y]: Y

Adding user: user_xxxx

user_xxxx successfully added.

$ sudo so-user-list

so-user-list doesn't show the user_xxxx that was added, nor I can login into Squert using the user_xxxx/password combination, that I used to add the user.

$ sudo so-status

Status: securityonion

* sguil server [ OK ]

Status: HIDS

* ossec_agent (sguil) [ OK ]

Status: Elastic stack

* so-elasticsearch [ OK ]

* so-logstash [ OK ]

* so-kibana [ OK ]

* so-curator [ OK ]

* so-elastalert [ OK ]

Steven J

unread,

Aug 27, 2019, 6:01:41 PM8/27/19

to securit...@googlegroups.com

I don't know that anything has changed recently but, I always presumed the user would need an OS account created first, to be recognized by the Onion.

sudo adduser <Insert-Username-Here>

You may want to add them as a sudo user but they would likely need ssh access.

To see if the SO account has been added, you could always login to the Kibana interface, choose "Management" in the left menu, then select Users. If they have an Elastic account, it will have been generated from their existing Sguil account.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/6efcfa38-4ce3-43d7-89b2-853ac5716626%40googlegroups.com.

Dustin Lee

unread,

Aug 27, 2019, 6:18:24 PM8/27/19

to security-onion

I've done a quick amount of testing on my end by adding a few users with and without underscores. It appears so-user-add doesn't appreciate the use of an underscore in the username and the new username is not added to the database. More investigation to follow.

For future readers, the user account for Sguil/Squert/Kibana is not a local user and does not need to be added to the operating system via adduser/useradd. It is separate.

- Dustin

Doug Burks

unread,

Aug 27, 2019, 7:35:30 PM8/27/19

to securit...@googlegroups.com

Created the following issue for tracking:

https://github.com/Security-Onion-Solutions/security-onion/issues/1627

--

Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/1007df8e-6209-45a4-bb74-36d79a8d9a9c%40googlegroups.com.

--

Doug Burks
CEO
Security Onion Solutions, LLC

AB

unread,

Aug 30, 2019, 10:33:13 AM8/30/19

to security-onion

Not using the "_" in the username did the trick. Thank you for the information.

Reply all

Reply to author

Forward