Service Name (on Pulse): Active Directory Pulse Integration
Service Name (on sensor): ad_integration
Configuration File (on sensor): /opt/pwnix/data/ad-nauseam/ad-nauseam.json
Log File (on sensor): /var/log/pwnix/ad_integration.log
In normal operation after values are specified to the fields for the Active Directory Pulse Integration service within Pulse and the service is subsequently started, the values specified are sent to the sensor and written to the configuration file, then the AD Integration service is started on the sensor. After the service is started on the sensor, it reads the values from from the configuration file and active directory integration occurs with the sensor retrieving information from the AD server. Subsequently this information is sent to Pulse whereupon network hosts become tagged with a "Known Good" Trust Level, helping to quickly establish a baseline of trusted assets on the network.
With sensors running 1.9.11 an issue was identified involving Active Directory Pulse Integration not working as expected if this feature was enabled prior to updating to 1.9.11
The cause of the issue is attributed to the values specified in the Pulse UI to not be written to the configuration file on the sensor. Hence, when the service is started on the sensor a generic configuration file is created with default values and the service subsequently stops because of the lack of configuration.
For sensors affected by this issue, a work-around is available requiring the user to edit the configuration file on the sensor and provide the values necessary for Active Directory Pulse Integration to operate properly.
Steps to perform:
- Use SSH and login to the sensor with the pwnie user account.
sudo suand press Enter, then re-type the password to become superuser.
- Next, type
systemctl stop ad_integrationand press Enter to stop the AD integration service.
rm /opt/pwnix/data/ad-nauseam/ad-nauseam.jsonand press Enter to remove the current configuration file.
- Next, type
rm /var/log/pwnix/ad_integration.logand press Enter to remove the current log file.
- Leave the SSH session open and using a browser, login to Pulse, go to the Sensors page, select the sensor involved, then go to Services.
- Select Active Directory Pulse Integration, specify all of the values necessary, then click Save. Afterward, start the Active Directory Pulse Integration service.
- Return to the SSH session, type reboot and press Enter to reboot the sensor.
After the sensor is restarted, repeat steps one and two, then type
cat /opt/pwnix/data/ad-nauseam/ad-nauseam.jsonand press Enter. Because of the issue identified the contents of the config file will look like the following:
Next, the user will need to copy the necessary values from the
/opt/pwnix/data/pulse.yamlfile to the appropriate fields in the configuration file.
For reference the
pulse.yamlfile contains information pertaining to the sensor's configuration, including the relevant information for Active Directory integration, etc. The pulse.yaml file is updated whenever the sensor is restarted to reflect the current, up-to-date configuration reflected within the Pulse UI.
cat /opt/pwnix/data/pulse.yamland press Enter. Locate the section within the file that reflects values associated with Active Directory integration. Refer to the following example of the section and values to look for::
Everything appearing within this section in the
pulse.yamlfile with the exception of the
sensor_side_hashneeds to be copied to the configuration file. In other words, copy the value for
pulse.yamlfile to the value for
ad_basein the configuration file. Repeat this for
ad_host, ad_port, ad_user,etc.
For the value associated with the
sensor_side_hash, this value need to be manipulated before it is copied to the configuration file, as follows:
Copy the value of the
sensor_side_hashreflected in the
pulse.yamlfile to an editor.
Next, remove the empty characters from the beginning of each line and add \n at the end of each line. Afterward, remove the carriage return and create one long string of characters. When finished, the example of the sensor_side_hash above should look like the example below:
Next, copy the modified
sensor_side_hashto the sensor_side_hash field in configuration file. If all has been copied correctly, the configuration file will now look like the following:
- Save the changes, then start the AD service by typing
systemctl start ad_integrationand press Enter.
- Next, type
tail -f /var/log/pwnix/ad_integration.logand press Enter to review the log file.
If the values to the config file were entered correctly (and most important the
sensor_side_hash), the log file will reflect activity as follows, indicative of polling with the AD server being successful and the information sent to Pulse.
At this time, nothing further needs to be done to enable Active Directory Pulse Integration. And as long as the ad_integration service on the sensor is running, the polling to the AD server will occur and the results sent to Pulse. Close the SSH
Until this issue becomes resolved, any changes made to the Pulse UI involving the configuration of the Active Directory Pulse Integration will need to be made manually to the configuration file on the sensor.