MikeSchiessl
commented
1 year ago Hi @ShlomiSalman,
To be able to login against the API, ULS somehow needs to access (read) the clear text password. So, here are a couple of thoughts from my end, but happy to have a conversation on how the issue got solved on the solution center tools side.
So here we go:
- Use environmental variables (a very common way to solve this issue) - the good thing is, the value can come out of encrypted VAULT or other tools and be only provided at runtime
- base64 encoding (well .. no security added with this, just obscurity :D and I would not use it as a solution at all)
- encrypted .edgerc file but ULS (and the CLIs) somehow need to access the unencrypted token and this is where the weakness comes in :$
- Embedded VAULT client to manage passwords directly inline (probably a code change and requires VAULT infrastructure on the customer side)
Right now, our recommendation is to use strict RBAC to minimize the capabilities (=authorization) of the regarding token to only allow retrieval of logs.
Feel free to plunge me a meeting invite into my calendar so we can have a discussion and also feel free to point me to the eng. that solved it towards the other tool (find me on teams slack mail ... )
best Mike Schiessl
Hello
I want to use this tool to sync the network log events from. Guardicore Cetra but I've noticed that the password is stored in clear text in the .edgerc file.
Is there an option to store hashed password or encrypt the password somehow? we received this requirement from a customer to use our tools (guardicore solution center tools) and I can point you to the engineer that changed it in all of out tools.