Riaan's SysAdmin Blog

My tips, howtos, gotchas, snippets and stuff. Use at your own risk!

SHIPS

SHIPS Password Rotation

admin

As explained on the website "unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts".

I tested as a proof of concept how to:

  • setup a SHIPS server on CentOS7
  • configure SHIPS folder and ACL's for devices
  • linux client execute SetAdminPass.sh for password rotation

Note that I simplified this test so the following was true:

  • no LDAP enabled for user logins into web interface (no identLDAP.rb)
  • devices not tested as belonging to LDAP OU (only using lib devicevalidatorany.rb)
  • Used ansible as much as possible to prepare the SHIPS server
  • Self signed certificate means client SetAdminPassword need --insecure with curl to even work.
  • Did not try and autostart SHIPS code on server reboot

So suffice to say you were warned this is not secure and correct way to run SHIPS it is a way to test the basics!

Final run after Ansible ironed out like this:

Download and unzip my file containing ansible playbook ships.yml plus the conf, ships.cert and ships.key files in /usr/src/ships-playbook. Update the conf file with correct IP address.

# yum install ansible -y
# cd /usr/src/ships-playbook/
root@ships ships-playbook]# rm -rf /opt/SHIPS ; ansible-playbook ships.yml

# cd /opt/SHIPS
[root@ships SHIPS]# ruby -r ./lib/identsqlite -r ./lib/identdevice -r ./lib/devicevalidatorany SHIPS.rb
  • from above ansible output capture password for SHIPS administrator user named root. Visit https://ip.addr.ess and login with root user and above password.
  • for folder and ACL configuration watch the section in the video located here https://www.trustedsec.com/2016/03/ships-version-2-released-major-release/
  • I made some changes on the client SetAdminPass.sh script as shown below.
URL='https://192.168.1.98/password'
#URL_OPTS=""

#RESPONSE=$( curl $CURL_OPTS -s "$URL?$URL_OPTSname=$HOST&nonce=$NONCE" )
RESPONSE=$( curl $CURL_OPTS -s "$URL?name=$HOST&nonce=$NONCE" )

#CURL_OPTS=''
CURL_OPTS='--insecure ' #DON'T DO THIS!

HISTORY='/var/run/SHIPS.HIST'

LINKS:

  • https://github.com/trustedsec/SHIPS/
  • https://www.trustedsec.com/2016/03/ships-version-2-released-major-release/
  • https://github.com/trustedsec/SHIPS/blob/master/doc/SHIPS_Installation_v2.pdf

admin

Bio Info for Riaan