Syhunt Hybrid: Web UI

The information in this document applies to version 7.1.6 of Syhunt Hybrid.

Table of Contents

Introduction
Enabling the Web User Interface
Password Policy
Configuring User Roles
Exposing the Web UI Securely
Tips
Limitations

Introduction

Starting with version 7.1,6 Syhunt Hybrid comes with a robust web user interface that can be enabled on Windows, Linux or Mac machines. While still evolving, the web UI allows to launch DAST, SAST and MAST scans, view results of scans (including those started through the GUI, CLI, REST API and scheduler if any), generate reports and exports, manage users, user permissions and active sessions, run console commands and more. The web interface and reports are currently available in 8 languages - English, German, Spanish, French, Italian, Japanese, Korean and Portuguese.

The Syhunt Hybrid web interface has been built on top of a robust web server - Openresty (Nginx + Lua), uses Bcrypt with a high factor for password hashing, secure session ID generation and implements login protection against brute force.

Enabling the Web UI

  1. Open the command prompt or terminal and go to the location of the Syhunt CLI - the default location depends on your OS.
    1. On Windows: powershell Start-Process cmd -ArgumentList '/k "cd /d \"%ProgramFiles%\Syhunt Hybrid\""' -Verb runAs
    2. On macOS: cd "/Applications/Syhunt Hybrid/carbon"
    3. On Linux: cd ${HOME}/syhunt-hybrid/carbon/
  2. Setup the key user accounts.
    1. Execute the following command to generate and set the admin password: scancore -pwdgen:admin
    2. Save the generated password; you will need it later to log in.
    3. (Optional) Execute the following command to set additional accounts: scancore -pwdgen:someusername
    4. (Optional) If you want the web UI to use a different language, run the command: scancore -langset:CODE See the available language codes
  3. Run the server:
    1. On Linux or Mac: Run syservicereg, and the web UI service will be installed and started.
    2. On Windows: Restart Windows, and the web UI will launch at startup, or, alternatively, run as Administrator scansched -restart if you don't want to reboot.
  4. Now you can access the web UI and login at: http://127.0.0.1:8017/syhunt/ and also use the Syhunt REST API. Login using:
    1. Username: admin
    2. Password: the password that has been generated.

Additional Steps and Notes

  • On any Linux or Mac, if you plan to perform SAST and MAST, make sure enabled the Hybrid Plus extensions.
  • On Alma Linux: If the web UI service fails to properly start, you may need to permanently disable SELinux: sudo sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config && sudo reboot. After that, the web UI service should run as expected.
  • On Windows, once the admin password is set, the web UI is launched each time the Hybrid Scheduler service starts. This ensures that the web UI remains running even if the current user logs out. On Linux, use the Syhunt Web UI service will do the same.

Password Policy

To strengthen security and ensure compliance, Syhunt 7.1 introduces a strict web UI password policy, enforcing the following requirements:

  1. Minimum Password Length
    1. Non-admin accounts: Minimum 16 characters
    2. Admin accounts: Minimum 26 characters
  2. Password Reuse Restrictions
    1. Admin accounts: Cannot reuse the last 24 passwords
    2. Non-admin accounts: Cannot reuse the last 10 passwords
  3. Password Complexity Requirements
    1. Must not include the username or parts of the user's full name
    2. Must contain at least:
      1. One uppercase letter (A-Z)
      2. One lowercase letter (a-z)
      3. One digit (0-9)
      4. One non-alphabetic character (e.g., @, #, $, %)
    3. Must not contain:
      1. Three or more identical consecutive characters (e.g., AAA)
      2. Three consecutive ascending or descending characters (e.g., 123, 321, ABC, CBA)

With these enhanced security measures, Syhunt 7.1 ensures stronger protection against password-related threats while maintaining compliance with industry standards. When setting a new password, the above requirements will be observed. After upgrading, if any of these patterns are found in a previously set password at the moment of login, you will need to reset your password.

To simplify password generation, Syhunt 7.1 adds the -pwdgen:[username] parameter to the scancore command, which generates a password securely, sets it and prints the generated password to the output, but if you prefer to input it manually, you can still use the -pwdset parameter.

Configuring User Roles

When you are logged in as Administrator, you can change the role of any user to Operator, Restricted Operator or Viewer. The following are the existing roles:

  • Administrator - The admin can launch and view results of all launched scans, edit user permissions and preferences and run console commands. Currently, just a single admin account is allowed.
  • Operator - A user with this role can launch and view results of all launched scans.
  • Restricted Operator - A user with this role can launch scans but only view the results of the scans launched by himself.
  • Viewer - A user with this role can view results of all launched scans, but is not able to launch any scans.

Exposing the Web UI Securely

Because the Syhunt web UI server comes pre-configured and gets updated every time Syhunt is upgraded, it is not advised to modify its settings. If you need to expose the web UI to the Internet or Intranet, we recommend setting up a reverse Nginx proxy with SSL enabled. You will need to generate a certificate.crt and a private.key to be used with it - the instructions below assume you already have the certificates ready.

On Windows:

  1. Download Nginx for Windows: http://nginx.org/en/download.html
  2. Apply the Nginx nginx.conf configuration changes described below.

On Linux:

  1. Install Nginx:
    1. On Ubuntu: sudo apt install nginx
    2. On CentOS 7: sudo yum install nginx
    3. On CentOS 8: sudo dnf install nginx
  2. Edit the Nginx configuration file: sudo nano /etc/nginx/nginx.conf
    1. Comment the lines: include /etc/nginx/conf.d/*.conf; and include /etc/nginx/sites-enabled/*;
    2. Within the http section include: 
server {
    listen 80;
    server_name _;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name _;

    ssl_certificate /etc/ssl/certificate.crt;
    ssl_certificate_key /etc/ssl/certificate.key;

    location / {
        return 301 https://$host/syhunt/;
    }

    location /syhunt/ {
        proxy_pass http://127.0.0.1:8017;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
  1. After saving the changes, test the new configuration: nginx -t
  2. Allow traffic from localhost to port 8017 and allow incoming traffic on port 443:
    1. On Ubuntu:
      1. sudo ufw allow from 127.0.0.1 to any port 8017
      2. sudo ufw allow 443
    2. On CentOS:
      1. sudo firewall-cmd --zone=public --add-port=443/tcp
      2. sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127.0.0.1" port port=8017 protocol=tcp accept'
      3. sudo firewall-cmd --reload
  3. Restart the Nginx server: systemctl restart nginx

Tips

MacOS

If the time shown on the Scan Scheduler screen does not match your operating system's time, run the following command to correct it: sudo /usr/sbin/systemsetup -settimezone "Europe/Lisbon" (replace Europe/Lisbon with your zone)

Limitations

  • On Linux or Mac, code scans launched through the web UI can only target public GIT repositories. If you need to target a private repository, use the scancode CLI command instead to launch the scan after properly configuring your repository credentials or SSH keys. Additionally, direct connection to non-GIT Azure (TFS) repositories are not supported on Linux or Mac machines.

Contact Us

Contact