cancel
Showing results for 
Search instead for 
Did you mean: 

Set a password per script

Jump to solution

Hi,

i am evaluating SolidCore App Control.

We create images fully scripted and i like to know what options i have to set the sadmin password via script/command line or installation. -z option is only for passing it in once its already set.

1 Solution

Accepted Solutions

Re: Set a password per script

Jump to solution

There seem to be two solutions to the problem:

 

1) Generate the passwd file without sadmin.exe

The syntax of the passwd file is pretty easy. It is:
<username>:<random UUID>!<sha512(<password><random UUID>)>;
The file is stored in UTF-16 without a BOM and terminated with a L'\0'.
The file can only be written if application control is disabled.

 

2) Write a console wrapper to sadmin, e.g. in c++. The wrapper calling sadmin.exe shares the console input buffer with sadmin and can use the windows API WriteConsoleInput to pass the password over.

 

14 Replies
Reliable Contributor vnaidu
Reliable Contributor
Report Inappropriate Content
Message 2 of 15

Re: Set a password per script

Jump to solution

@mfriedrich

sadmin password -z <password> in a bat file will pass it. but your password will be visable in plain text.

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Venu
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 3 of 15

Re: Set a password per script

Jump to solution

Thats how you run it in a bat file. 

There is an option if you are running standalone:

rom the EPO console, on the policy catalog navigate to Solidcore 6.1.3:General > Configuration (Client) > policyname where you can set or change the password. Once done to a wakeup agent from EPO console and try if that works in client.

 

I think from the local system you can change the password instead you can remove the password and set a new password again.

Command to set password is  sadmin passwd           

Command to remove the password is sadmin passwd -d

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26727/en_US/...

but if its managed by EPO then its best to get your policy before you create your image.

We can change the CLI password from the ePO as follows
Goto Menu |System tree | assigned policies | select solidcore :application control | General > configuration (client) > CLI settings tab

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Set a password per script

Jump to solution

Hi,

 

i am running standalone.

Re: Set a password per script

Jump to solution

I am using 7.0.1 standalone mode on Windows Embedded Standard 7. Version 8 is not available as eval download.

Initially after installation there is no password set, so sadmin passwd -d is of no use.

It tried "sadmin passwd" but it does not accept the new password on the command line or stdin.
The -z argumkent is only for providing an old password. Which is not set, so -z is of no use here.

sadmin password seem not to be a valid command.

Any more ideas? Can the initial password provided with the SolidCore installer?

Re: Set a password per script

Jump to solution

This does not work:

 

C:\Users\Administrator>sadmin password -z 1234
Unknown command. Type "sadmin help" for usage.

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 7 of 15

Re: Set a password per script

Jump to solution

Did you set the password with passwd like above first? If there is no password yet then -z password will not work yet.. 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Set a password per script

Jump to solution
I don't want to provide current password to commands. -z is not for setting passwords, its for authorization only. I want to set the initial password in a script. This is for automatic unattended image creation from source control in a build farm ("continuous integration / continuous deployment").
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 9 of 15

Re: Set a password per script

Jump to solution

Technically you could sync a machine with epo and copy the passwd file and put it in c:\program files\mcafee\solidcore when integrity disabled. Then it would have your password from epo at that time.. 

 

But other than that you dont have a choice. to either use EPO or standalone sadmin passwd as we stated.

As stated before Passwd -d is to remove the password on standalone CLI when you set with Passwd.

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 10 of 15

Re: Set a password per script

Jump to solution

Enable password protection

Restrict users from running critical sadmin commands by enabling password protection.

When password protection is enabled, Application Control allows these critical commands to run only when Maintaining your systems Enable password protection the user enters in the correct password. If you do not need password protection, remove the password, which allows users to run all sadmin commands.

Passwords are encrypted with the SHA2 hashing algorithm. To protect password details, a random number is added to the password before the hash is computed. The SHA5012 encryption algorithm, a subset of SHA2, generates a hash of 512 bits, which protects the password from "rainbow table" attacks.

Task 1 Complete these steps to set a new password.

   a Type the sadmin passwd command.

When you set a password, users can no longer run critical commands without providing the correct password.

Only a limited set of non‑critical commands can run without the password.

You can use the ‑z switch to prevent the system from prompting for the password.

It can be used in all CLI commands.

       b Press Enter. •

If you already set the password, Application Control prompts you to enter your password.

Type the old password and press Enter.

You are now asked to set the new password and retype it. •

If you didn't set the password earlier, Application Control prompts you to enter a new password

Set the new password and retype it.

2 Complete these steps to remove the password.

        a Type the sadmin passwd ‑d command. b Press Enter

 

https://www.intel.com/content/dam/www/public/us/en/documents/guides/mcafee-application-control-produ... pg.67

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26172/en_US/... - Pg 72 of 7.0 product guide

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator