Service Name (on Pulse): Active Directory Pulse Integration

Service Name (on sensor): ad_integration

Configuration File (on sensor): /opt/pwnix/data/ad-nauseam/ad-nauseam.json

Log File (on sensor): /var/log/pwnix/ad_integration.log


In normal operation after values are specified to the fields for the Active Directory Pulse Integration service within Pulse and the service is subsequently started, the values specified are sent to the sensor and written to the configuration file, then the AD Integration service is started on the sensor. After the service is started on the sensor, it reads the values from from the configuration file and active directory integration occurs with the sensor retrieving information from the AD server. Subsequently this information is sent to Pulse whereupon network hosts become tagged with a "Known Good" Trust Level, helping to quickly establish a baseline of trusted assets on the network.

With sensors running 1.9.11 an issue was identified involving Active Directory Pulse Integration not working as expected if this feature was enabled prior to updating to 1.9.11

The cause of the issue is attributed to the values specified in the Pulse UI to not be written to the configuration file on the sensor. Hence, when the service is started on the sensor a generic configuration file is created with default values and the service subsequently stops because of the lack of configuration.

For sensors affected by this issue, a work-around is available requiring the user to edit the configuration file on the sensor and provide the values necessary for Active Directory Pulse Integration to operate properly.


Steps to perform:

  1. Use SSH and login to the sensor with the pwnie user account.
  2. Type sudo su and press Enter, then re-type the password to become superuser.
  3. Next, type systemctl stop ad_integration and press Enter to stop the AD integration service.
  4. Type rm /opt/pwnix/data/ad-nauseam/ad-nauseam.json and press Enter to remove the current configuration file.
  5. Next, type rm /var/log/pwnix/ad_integration.log and press Enter to remove the current log file.
  6. Leave the SSH session open and using a browser, login to Pulse, go to the Sensors page, select the sensor involved, then go to Services.
  7. Select Active Directory Pulse Integration, specify all of the values necessary, then click Save. Afterward, start the Active Directory Pulse Integration service.
  8. Return to the SSH session, type reboot and press Enter to reboot the sensor.
  9. After the sensor is restarted, repeat steps one and two, then type cat /opt/pwnix/data/ad-nauseam/ad-nauseam.json and press Enter. Because of the issue identified the contents of the config file will look like the following:

    {
      "log_level": "info",
      "send_to_pulse": true,
      "polling_rate": "daily",
      "ad_host": "127.0.0.1",
      "ad_port": "636",
      "ad_user": "",
      "sensor_side_hash": "",
      "ad_base": "",
      "connection": "ldaps",
      "verify_cert": false
    }

    Next, the user will need to copy the necessary values from the /opt/pwnix/data/pulse.yaml file to the appropriate fields in the configuration file.

    For reference the pulse.yaml file contains information pertaining to the sensor's configuration, including the relevant information for Active Directory integration, etc. The pulse.yaml file is updated whenever the sensor is restarted to reflect the current, up-to-date configuration reflected within the Pulse UI.

  10. Type cat /opt/pwnix/data/pulse.yaml and press Enter. Locate the section within the file that reflects values associated with Active Directory integration. Refer to the following example of the section and values to look for::

    - config:
        ad_base: DC=VMW2k3,DC=local
        ad_host: 192.168.123.102
        ad_port: '389'
        ad_user: CN=User,CN=Users,DC=VMW2k3,DC=local
        connection: ldap
        verify_cert: 'false'
        polling_rate: hourly
        sensor_side_hash: |
          qHthyxvhs+dscnsuXgGVGA==
          :QWGCjUpgpBky2F6CbQJznf0hj1SriRoQsBw23QY4BQPIC/m/aERcOzYqHKoj
          huXntYwF9brPtJD6oWNKzSufcTAZL2u+eCjsFJqS3TDcX5bBwOnB2pPKjpmr
          UTuLdbYlPiGrhSXvPvwOkwAOrmVCHITElxyWHFAO0fON8TKp1vY=
          :Vhp0UiQJb2uFKNSRX4YMK+EC9O56iu8F59gnQLQqbc1mtr1nuWZ/QZGEAawq
          AKJ+KmzE4iSB78VapziOjr2t+Tu6VIczE7McRE8SpLEXOyKMlj6IGaAVGA80
          7DXm4MCMsgDjOEk3duTYV84qrZdkeMOz7dC01gcoAU78Sm6SJjaxlThIR2se
          rn59P6yZUc6VpHdxsPeqPrMeE1Nw7vLfDDzvRK6pLsTuJDFUf7EFVZnMj9Lq
          ybE+EY1huHh5IjVzsX3g7WQ55XlD1RSfwYKXpJpp76OKTVeSQTrxgoyHG4F9
          VEt4PH6AIowz8+APy9BL7TCmUe/qH+T3grMa8hlm99aBdCeWUe8bte4iptlH
          dtGdHBvKCONZ7Ob0dyxtMC2GXl1XFv8OuqybK/ph744ojYW73A1ZiRQs3VLl
          yoiM/smTOxcrjwF+yF/RQCiGM9XE+gnByaOJwW8FRmdxw+8Xbjn6kUkeVQws
          qb6jcHnd1DHcDh7WPia28LQCRT4ni8ynDxStu8yk49M4pBRS2NGA3eecZiQp
          o5NWEO0qy9Hrq9GaHUEPmitTTbwMn3JfScF5S3BTQmVliQ6yBiF3y7RjnCZ3
          SkDnKVnvnyi6OoU0UWMWcPOpOagNl9QCDxtMi+TBQtKkYkp0W37NuqcokvFM
          yXJwvUuk7dBmApoNqSIiSFA=

    Everything appearing within this section in the pulse.yaml file with the exception of the sensor_side_hash needs to be copied to the configuration file. In other words, copy the value for ad_base in the pulse.yaml file to the value for ad_base in the configuration file. Repeat this for ad_host, ad_port, ad_user, etc.

    For the value associated with the sensor_side_hash, this value need to be manipulated before it is copied to the configuration file, as follows:

    1. Copy the value of the sensor_side_hash reflected in the pulse.yaml file to an editor.

            qHthyxvhs+dscnsuXgGVGA==
            :QWGCjUpgpBky2F6CbQJznf0hj1SriRoQsBw23QY4BQPIC/m/aERcOzYqHKoj
            huXntYwF9brPtJD6oWNKzSufcTAZL2u+eCjsFJqS3TDcX5bBwOnB2pPKjpmr
            UTuLdbYlPiGrhSXvPvwOkwAOrmVCHITElxyWHFAO0fON8TKp1vY=
            :Vhp0UiQJb2uFKNSRX4YMK+EC9O56iu8F59gnQLQqbc1mtr1nuWZ/QZGEAawq
            AKJ+KmzE4iSB78VapziOjr2t+Tu6VIczE7McRE8SpLEXOyKMlj6IGaAVGA80
            7DXm4MCMsgDjOEk3duTYV84qrZdkeMOz7dC01gcoAU78Sm6SJjaxlThIR2se
            rn59P6yZUc6VpHdxsPeqPrMeE1Nw7vLfDDzvRK6pLsTuJDFUf7EFVZnMj9Lq
            ybE+EY1huHh5IjVzsX3g7WQ55XlD1RSfwYKXpJpp76OKTVeSQTrxgoyHG4F9
            VEt4PH6AIowz8+APy9BL7TCmUe/qH+T3grMa8hlm99aBdCeWUe8bte4iptlH
            dtGdHBvKCONZ7Ob0dyxtMC2GXl1XFv8OuqybK/ph744ojYW73A1ZiRQs3VLl
            yoiM/smTOxcrjwF+yF/RQCiGM9XE+gnByaOJwW8FRmdxw+8Xbjn6kUkeVQws
            qb6jcHnd1DHcDh7WPia28LQCRT4ni8ynDxStu8yk49M4pBRS2NGA3eecZiQp
            o5NWEO0qy9Hrq9GaHUEPmitTTbwMn3JfScF5S3BTQmVliQ6yBiF3y7RjnCZ3
            SkDnKVnvnyi6OoU0UWMWcPOpOagNl9QCDxtMi+TBQtKkYkp0W37NuqcokvFM
            yXJwvUuk7dBmApoNqSIiSFA=
    2. Next, remove the empty characters from the beginning of each line and add \n at the end of each line. Afterward, remove the carriage return and create one long string of characters. When finished, the example of the sensor_side_hash above should look like the example below:

      qHthyxvhs+dscnsuXgGVGA==\n:QWGCjUpgpBky2F6CbQJznf0hj1SriRoQsBw23QY4BQPIC/m/aERcOzYqHKoj
      \nhuXntYwF9brPtJD6oWNKzSufcTAZL2u+eCjsFJqS3TDcX5bBwOnB2pPKjpmr\nUTuLdbYlPiGrhSXvPvwOkwAOrmVCHITElxyWHFAO0fON8TKp1vY=
      \n:Vhp0UiQJb2uFKNSRX4YMK+EC9O56iu8F59gnQLQqbc1mtr1nuWZ/QZGEAawq
      \nAKJ+KmzE4iSB78VapziOjr2t+Tu6VIczE7McRE8SpLEXOyKMlj6IGaAVGA80
      \n7DXm4MCMsgDjOEk3duTYV84qrZdkeMOz7dC01gcoAU78Sm6SJjaxlThIR2se
      \nrn59P6yZUc6VpHdxsPeqPrMeE1Nw7vLfDDzvRK6pLsTuJDFUf7EFVZnMj9Lq
      \nybE+EY1huHh5IjVzsX3g7WQ55XlD1RSfwYKXpJpp76OKTVeSQTrxgoyHG4F9\nVEt4PH6AIowz8+APy9BL7TCmUe
      /qH+T3grMa8hlm99aBdCeWUe8bte4iptlH\ndtGdHBvKCONZ7Ob0dyxtMC2GXl1XFv8OuqybK
      /ph744ojYW73A1ZiRQs3VLl\nyoiM/smTOxcrjwF+yF/RQCiGM9XE+gnByaOJwW8FRmdxw+8Xbjn6kUkeVQws
      \nqb6jcHnd1DHcDh7WPia28LQCRT4ni8ynDxStu8yk49M4pBRS2NGA3eecZiQp
      \no5NWEO0qy9Hrq9GaHUEPmitTTbwMn3JfScF5S3BTQmVliQ6yBiF3y7RjnCZ3
      \nSkDnKVnvnyi6OoU0UWMWcPOpOagNl9QCDxtMi+TBQtKkYkp0W37NuqcokvFM\nyXJwvUuk7dBmApoNqSIiSFA=\n
    3. Next, copy the modified sensor_side_hash to the sensor_side_hash field in configuration file. If all has been copied correctly, the configuration file will now look like the following:

      {
        "log_level": "info",
        "send_to_pulse": true,
        "polling_rate": "hourly",
        "ad_host": "192.168.123.102",
        "ad_port": "389",
        "ad_user": "CN=User,CN=Users,DC=VMW2k3,DC=local",
        "sensor_side_hash": "qHthyxvhs+dscnsuXgGVGA==\n:QWGCjUpgpBky2F6CbQJznf0hj1SriRoQsBw23QY4BQPIC/m/aERcOzYqHKoj\nhuXntYwF9brPtJD6oWNKzSufcTAZL2u+eCjsFJqS3TDcX5bBwOnB2pPKjpmr\nUTuLdbYlPiGrhSXvPvwOkwAOrmVCHITElxyWHFAO0fON8TKp1vY=\n:Vhp0UiQJb2uFKNSRX4YMK+EC9O56iu8F59gnQLQqbc1mtr1nuWZ/QZGEAawq\nAKJ+KmzE4iSB78VapziOjr2t+Tu6VIczE7McRE8SpLEXOyKMlj6IGaAVGA80\n7DXm4MCMsgDjOEk3duTYV84qrZdkeMOz7dC01gcoAU78Sm6SJjaxlThIR2se\nrn59P6yZUc6VpHdxsPeqPrMeE1Nw7vLfDDzvRK6pLsTuJDFUf7EFVZnMj9Lq\nybE+EY1huHh5IjVzsX3g7WQ55XlD1RSfwYKXpJpp76OKTVeSQTrxgoyHG4F9\nVEt4PH6AIowz8+APy9BL7TCmUe/qH+T3grMa8hlm99aBdCeWUe8bte4iptlH\ndtGdHBvKCONZ7Ob0dyxtMC2GXl1XFv8OuqybK/ph744ojYW73A1ZiRQs3VLl\nyoiM/smTOxcrjwF+yF/RQCiGM9XE+gnByaOJwW8FRmdxw+8Xbjn6kUkeVQws\nqb6jcHnd1DHcDh7WPia28LQCRT4ni8ynDxStu8yk49M4pBRS2NGA3eecZiQp\no5NWEO0qy9Hrq9GaHUEPmitTTbwMn3JfScF5S3BTQmVliQ6yBiF3y7RjnCZ3\nSkDnKVnvnyi6OoU0UWMWcPOpOagNl9QCDxtMi+TBQtKkYkp0W37NuqcokvFM\nyXJwvUuk7dBmApoNqSIiSFA=\n",
        "ad_base": "DC=VMW2k3,DC=local",
        "connection": "ldap",
        "verify_cert": false
      }
  11. Save the changes, then start the AD service by typing systemctl start ad_integration and press Enter.
  12. Next, type tail -f /var/log/pwnix/ad_integration.log and press Enter to review the log file.

If the values to the config file were entered correctly (and most important the sensor_side_hash), the log file will reflect activity as follows, indicative of polling with the AD server being successful and the information sent to Pulse.

# Logfile created on 2018-06-18 16:44:51 -0400 by logger.rb/v1.2.7
2018-06-18T16:44:51.877-0400 INFO runner#116522: No Config found. Adding default one at /opt/pwnix/data/ad-nauseam/ad-nauseam.json
2018-06-19T13:16:23.624-0400 INFO runner#30395: Starting AD Integration...
2018-06-19T13:16:23.624-0400 INFO runner#30395: Sending Credential Request to Pulse...
2018-06-19T13:16:23.625-0400 INFO runner#30395: Waiting for Credential Request Response from Pulse...
2018-06-19T13:16:29.102-0400 INFO runner#30395: Credentials Request Complete...
2018-06-19T13:16:29.123-0400 INFO runner#30395: Sending (1/1 MAX:100) devices to Pulse.
2018-06-19T13:16:29.123-0400 INFO runner#30395: AD Integration Run Complete...

Exit SSH

At this time, nothing further needs to be done to enable Active Directory Pulse Integration. And as long as the ad_integration service on the sensor is running, the polling to the AD server will occur and the results sent to Pulse. Close the SSH

Importand

Until this issue becomes resolved, any changes made to the Pulse UI involving the configuration of the Active Directory Pulse Integration will need to be made manually to the configuration file on the sensor.