search

bawood / TA-DUOSecurity2FA

Splunk TA for indexing DUO 2 factor activity logs
2 stars 4 forks source link

Splunk Cloud compatibility #4

Open wryanthomas opened 5 years ago

wryanthomas commented 5 years ago

Hi there.

We requested this be installed on Splunk Cloud and it came back with the following description of the issues preventing it from being Splunk Cloud compatible. Could you update the add-on so we (and others) can install in Splunk Cloud?

From Splunk: The Duo TA failed due to multiple issues with the python scripts included. This was manually reviewed a few years ago and so the failures are a bit vague. If the app developer wants to update the app, then he get reach out to us to get more detailed information.

[FAILURE] App Inspect: check_for_unencrypted_network_communications • Check that all network communications are encrypted. • Please check for unencrypted network communications. • See bin/splunklib/binding.py

[FAILURE] Should enforce https: • File: bin/splunktalib/splunk_platform.py Line: 98 [FAILURE] Should enforce https: • File: bin/splunklib/binding.py Line:470 • This is from the splunk sdk

bawood commented 5 years ago

Thanks, I think those python files are from the sdk, so I might just need to update that. I'll take a look and see if I can get more details from Splunk.

bawood commented 5 years ago

I've made some updates so it now appears to pass Splunk's AppInspect tests. Can you re-request it being installed in Splunk Cloud and let me know if it's allowed now? Also, I made the latest version 1.2.1, but left the default 1.2.0 on splunkbase for now. So if you have to request a specific version, 1.2.1 is the one you want.

wryanthomas commented 5 years ago

Thanks. I have submitted a request for them to install v1.2.1. I'll reply here with results. (Installs such as this typically are performed during maintenance window (before business hours on weekdays) -- so likely won't hear back until Monday or Tuesday.)

wryanthomas commented 5 years ago

On Thursday, they replied saying "It looks like their updated app has passed our Vetting tool but has some manual checks that need to be reviewed by our App Vetting team. I've passed it off to them for review; we will update you once we hear back." (I haven't heard back yet.)

wryanthomas commented 5 years ago

Finally got response... Two "manual check" issues:

"blocking-issues:

  1. Filename: bin/splunktalib/splunk_cluster.py, line: 56,61,67. Main function seems to contain test code with creds/hostnames. Please remove or clarify if they are not real creds.

non blocking-issue:

  1. Filename: default/data/ui/manager/duo.xml. Strongly recommend developer to use 'storage/passwords' endpoint to encrypted sensitive user-inputs."
bawood commented 5 years ago

Thanks, I'll take a look. The files under splunktalib were from either an old Splunk SDK or an old copy of the Add-on developer app, I'm certain I'm not using the splunk_cluster.py file so I'm pretty sure I can just delete that file, but might just be able to remove that entire directory. I'll have to look more closely at the 'storage/passwords' endpoint.

bawood commented 5 years ago

I removed all of the splunktalib after determining it wasn't needed anymore, I've submitted it on splunk base it's passed the AppInspect checks again and I've made it visible but not the default version (1.2.2). So at least the blocking issue should be resolved now. I would like to update to use the passwords endpoint, but I'm not sure when I'll have a chance to work on that.