EDR: Script airgap_feed.py Assumes Default Admin Is Enabled
search cancel

EDR: Script airgap_feed.py Assumes Default Admin Is Enabled

book

Article ID: 287674

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • The command 'python3 /usr/share/cb/airgap_feed.py import -f /feeddump' produces the error:

File "/usr/share/cb/virtualenv/lib64/python3.8/site-packages/requests/models.py", line 941, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: https://127.0.0.1:443/api/v1/feed”

Environment

EDR Server: 7.x

Cause

  • The airgap_feed.py script relies on the default admin to be enabled:
cur.execute("select auth_token from cb_user where global_admin is true order by id limit 1;")

 

Resolution

  • Adding 'AND deleted is false' to the above line in airgap_feed.py script uses the auth_token from the first enabled global admin.
cur.execute("select auth_token from cb_user where (global_admin is true AND deleted is false) order by id limit 1;")

 

Additional Information

  • CB-??