As explained on the website “unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts“.
I tested as a proof of concept how to:
- setup a SHIPS server on CentOS7
- configure SHIPS folder and ACL’s for devices
- linux client execute SetAdminPass.sh for password rotation
Note that I simplified this test so the following was true:
- no LDAP enabled for user logins into web interface (no identLDAP.rb)
- devices not tested as belonging to LDAP OU (only using lib devicevalidatorany.rb)
- Used ansible as much as possible to prepare the SHIPS server
- Self signed certificate means client SetAdminPassword need –insecure with curl to even work.
- Did not try and autostart SHIPS code on server reboot
So suffice to say you were warned this is not secure and correct way to run SHIPS it is a way to test the basics!
Final run after Ansible ironed out like this:
Download and unzip my file containing ansible playbook ships.yml plus the conf, ships.cert and ships.key files in /usr/src/ships-playbook. Update the conf file with correct IP address.
# yum install ansible -y # cd /usr/src/ships-playbook/ root@ships ships-playbook]# rm -rf /opt/SHIPS ; ansible-playbook ships.yml # cd /opt/SHIPS [root@ships SHIPS]# ruby -r ./lib/identsqlite -r ./lib/identdevice -r ./lib/devicevalidatorany SHIPS.rb
- from above ansible output capture password for SHIPS administrator user named root. Visit https://ip.addr.ess and login with root user and above password.
- for folder and ACL configuration watch the section in the video located here https://www.trustedsec.com/2016/03/ships-version-2-released-major-release/
- I made some changes on the client SetAdminPass.sh script as shown below.
URL='https://192.168.1.98/password' #URL_OPTS="" #RESPONSE=$( curl $CURL_OPTS -s "$URL?$URL_OPTSname=$HOST&nonce=$NONCE" ) RESPONSE=$( curl $CURL_OPTS -s "$URL?name=$HOST&nonce=$NONCE" ) #CURL_OPTS='' CURL_OPTS='--insecure ' #DON'T DO THIS! HISTORY='/var/run/SHIPS.HIST'