Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Response 6.3.0 Integration Guide

CB Response 6.3.0 Integration Guide

Note:  This document applies to Cb Response versions 6.3.0 and 6.3.1.

This documentation provides information for administrators who are responsible for integrating Cb Response with various other tools. It discusses:

  • Integration with CB Protection (formerly Bit9)
  • Integration with Microsoft Enhanced Mitigation Experience Toolkit (EMET)
  • Supported SAML 2.0 specifications and SAML 2.0 Single Sign-On (SSO) setup. This includes integration with the OKTA, Shibboleth, and ADFS IdPs
  • The Duo plugin, which you can configure two-factor authentication and download the Duo Mobile application on a mobile device
  • Syslog output for CB Response events
  • CB Response support for Virtual Desktop Infrastructure (VDI) and how to configure your machines to use it

See the Comments below for changes to this version.

Note:  This document is being posted prior to update of the CB Response Cloud and release of CB Response server to version 6.3.0. Please monitor the User eXchange for the official release announcement.

Labels (1)
Attachments
Comments

Changes to the March 2019 6.3.0 version since the latest 6.2 version:

  1. Added a "List of Tasks" section to the document.
  2. In the "Integrating with SSO Identity Providers" chapter, removed an obsolete description of how to setup ADFS and instead pointed to Microsoft's own documentation.
  3. Also in the "Integrating with SSO Identity Providers" chapter, made a minor correction to the example for Okta integration.
  4. In the "Syslog Output for Cb Response Events" chapter, made many updates to reflect the addition of SHA-256 support in CB Response 6.3.0 and in the data it outputs to syslog.
  5. Other minor corrections and improvements were also made.

In the "Integrating with SSO Identity Providers" chapter, consider editing table 5 on page 38 so that the builtin_role is written as:  "global_admin"

builtin_roles Optional Required to set permissions. A list of
roles.
Valid roles: “GlobalAdmin”
If None, this field is ignored.
If an empty list ([]), all roles are removed.

If you notice the example config file on page 41, "global_admin" is displayed correctly.   You can verify the proper syntax (if you have SSO enabled) by searching the ../coreservices/debug.log.  In the example that I found, you will notice that the name of the role is represented as "Global Admin" but the attribute needs to be written as "global_admin" in the sso_attr.py script or else it isn't recognized:

2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - Authentication Response:
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - Attributes returned in SAML response:
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - first_name: [u'John']
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - last_name: [u'Doe']
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - role: [u'GlobalAdmin']
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - uid: [u'redacted username']
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - email: [u'John.Doe@email.edu']
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - Custom SAML attribute map returned:
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - username: redacted username
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - first_name: John
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - last_name: Doe
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - builtin_roles: ['global_admin']
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - teams: ['Administrators']
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - authorized: True
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - email: John.Doe@email.edu
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - Updating redacted username profile to John, Doe, John.Doe@email.edu

2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - Updating [redacted] to Global Admin role.
2019-03-27 11:02:36 [20510] <debug> cb.flask.blueprints.api_routes_saml - Updating team membership for [redacted] to [{'id': 1, 'name': u'Administrators'}]

 

djay: This will be fixed in the next release.

Article Information
Author:
Creation Date:
‎03-21-2019
Views:
3285
Contributors