We have a few software components that require passwords to be sent with the action which we would not want to have sent clear text or show up in local BigFix client logs.
Can something be added to the BigFix Console and Clients to allow for encrypting a piece of the action such as an action parameter. An example of a potential new action could be a new Encrypt parameter such as the following:
ENCRYPT action parameter query “Password” with description “Please enter password for this action” With default “Enter Password Here”
When ENCRYPT is sent, then the specific parameter “Password” gets encrypted prior to being sent to the client.
The client then sees the ENCRYPT in the action and decrypts the password without any clear text password showing up in the BigFix client logs when that parameter is used.
We have some ideas on how to securely transfer passwords to specific authenticated agents, but it requires a large amount of work to rearchitect certain pieces of how the actions are transferred. This is one of the top proposed major features that we are considering… but it won’t be in the next major version…
Posting here because the title/topic is the closest match for the problem I’m trying to overcome. I’ve read several posts but none which directly address this title/topic. In my case I need to protect passwords I’d like to pass through cmd:
waithidden cmd /c {(pathname of it) of files whose (name of it ends with "Server.msi") of folder "<pathname>"} ADDLOCAL="Application,Database,StoreSolution,DMSClient,USATax,USARegion,NAMER,Regions" … USER_PASSWORD={if exists folder "<pathname>" then "<PasswordA>" else "<PasswordB>"} ...
Keeping the passwords out of the BES logs is my primary concern at this time.
In what way would the passwords be dynamic? The example linked on https://bigfix.me/fixlet/details/3679 has one parameter that is hard coded and the 2nd as one you can input but you could have both as inputs which then allows you to use different password combinations each time you issue the action.
Dynamic in the sense that the password can be created using relevance substitution within the Action at the time of execution.
Example: {"A1pha"&(following text of first "Rusty_" of preceding text of first "_Nine" of (value "WindowsServiceIdentityConfigured" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSRS12.SQLEXPRESS\Setup" of native registry as string))&"0n3"}
@Jonathan I think what you need is to use the following two action script commands:
action log command
This command tells the client to only log the commands of the action. The parameters of the commands in the action will not be logged.
Ordinarily all aspects of an action are logged, including commands and parameters. The parameters may contain information about establishing private keys or decrypting passwords. This command can be used to avoid logging such sensitive information.
action log all
This command tells the client to log all commands along with their parameters. This is the default behavior. This can be used to undo a previous action log command.
Your action script would be modified as follows:
action log command
waithidden cmd /c {(pathname of it) of files whose (name of it ends with "Server.msi") of folder "<pathname>"} ADDLOCAL="Application,Database,StoreSolution,DMSClient,USATax,USARegion,NAMER,Regions" … USER_PASSWORD={if exists folder "<pathname>" then "<PasswordA>" else "<PasswordB>"} ...
action log all