[OSCD Initiative] Develop Responder for Duo Security

[yugoslavskiy]

Feature description

Responder for Duo Security that would be able to execute the following Response Actions:

• RA3601: Lock user account
• RA5601: Unlock locked user account

Describe the solution you'd like

It could be done via Duo Security API using modify-user method:

• change status to "disabled", duo will automatically deny access
• change status to "active", duo will process the user authentification as usual

[vector-sec]

I'll be taking a look at this as a part of OSCD's Sprint 2.

[yugoslavskiy]

Hello @vector-sec ! Would you like to do it yourself? I am also interested in this Responder, so we could collaborate on it if you like (: And don't worry if you would like to do it yourself, that' totally fine either (:

[P0nt05]

Hello,

@Gyuri1 and I created the responder in order to lock/unlock user in Duo. Please feel free to test and send feedback:
https://github.com/P0nt05/CortexResponder_DuoUserAccount

[nadouani]

Hello @P0nt05, I took a look to what you implemented. Nice job.

I would just pay attention to the responder naming: I would replace "name": "Duo Security - Lock User Account", by DuoLockUserAccount. That name is used as internal keys in Cortex and TheHive, so we recommend it to be using Pascal Case notation :)

I would also use readable config property names like integration_key instead of iKey and secret_key instead of sKey

We need to improve also cortexutils from our side to hide any property including the word key or secret when a job fails and return its input config (this might leak the keys otherwise)

I'll try to release a new version of https://github.com/TheHive-Project/cortexutils during this second sprint.

[yugoslavskiy]

Hello @P0nt05! Thank you for your contribution (:
Could you please reply to the @nadouani's comments?

[P0nt05]

Sorry, I changed the naming immediately after @nadouani comment. The Responder as well as the property names.
I will change the key's as soon as there is a new version of the cortexutils

[yugoslavskiy]

Hello @P0nt05 @nadouani! How about creating a PR for this Responder and proceeding with a discussion there? (:
I believe it will help us a lot to finalize the work on the Responder and include it in the official repository.
We are doing our best to close all the opened OSCD-related PRs and develop a summary of the sprint this year %)

[dadokkio]

Hi @P0nt05 I started to review your code but I've a simple question to begin with.
Why have you created 2 app for doing very similar operation instead of using a single script with different service?
I tried to refactor your code, this is what I was thinking [one single folder, 2 json for flavours and a single script with a switch]

If you create a pull I can validate and merge or if you want I can pull my code and you can give it a try.

[yugoslavskiy]

Hello @P0nt05! Could you please join the discussion (:

[P0nt05]

Hi @dadokkio,
great work! The simple reason for the 2 apps are my basic skills 🙃
I like your approach better, so we should change it to your code.

This is my repo:
https://github.com/P0nt05/CortexResponder_DuoUserAccount

@yugoslavskiy thanks for the short reminder!

[yugoslavskiy]

Hi @P0nt05!
There is an issue with the API hostname configuration. In your example it is "https://api-x....":

But in that case, it will return :socket.gaierror: [Errno -2] Name or service not known error, which is a DNS-related problem.
If we put just api-x... (without https://), it works fine.

[yugoslavskiy]

@P0nt05 could you please create Pull Request so we could modify your code?

[dadokkio]

Pull done!

[yugoslavskiy]

Hello @P0nt05!
Could you please create Pull Request so we could modify your code and merge it to the master?

[yugoslavskiy]

Hello @dadokkio!

@P0nt05 confirmed that we can create PR by ourselves, so I did.
Could you please re-create your PR to my fork?
Or maybe I should just add your changes myself?

[dadokkio]

My pull is here https://github.com/P0nt05/CortexResponder_DuoUserAccount/pull/1/files
You can grab my code without any issue 👍