Bug 1370168
Summary: | [RFE] Update foreman-debug to by default not disclose confidential passwords and private keys | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Preetesh Sharma <prsharma> |
Component: | Foreman Debug | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED ERRATA | QA Contact: | Ales Dujicek <adujicek> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.2.0 | CC: | adujicek, bbuckingham, dlobatog, dmoessne, ehelms, jcallaha, mvanderw, pmoravec |
Target Milestone: | Unspecified | Keywords: | FutureFeature, Triaged |
Target Release: | Unused | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
URL: | http://projects.theforeman.org/issues/17005 | ||
Whiteboard: | |||
Fixed In Version: | foreman-proxy-1.15.4-1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-02-21 12:35:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1406384 |
Description
Preetesh Sharma
2016-08-25 12:33:51 UTC
Thanks for the report, this is regression from the last time we have reviewed it. Original report: Executing a foreman-debug (foreman-debug-1.11.0.51-1.el7sat.noarch) I noticed it captured the following files containing passwords: ./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160728-13519-17pu8qt/default_values.yaml ./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160816-116632-pc8k5j/default_values.yaml Sample entry (I have used XXXXXX to mask password) "capsule::params::pulp_admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXX "::foreman::params::db_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "::foreman::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXXX "::foreman::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXXXXX "::foreman::params::admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "foreman_proxy::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXX "foreman_proxy::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXX "katello::params::oauth_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" "katello::params::post_sync_token": XXXXXXXXXXXXXXXXXXXXXXXXXXX The following log files captured also contained passwords: ./foreman-debug-2nCVG/var/log/foreman-installer/satellite.log ./foreman-debug-2nCVG/var/log/foreman-installer/satellite.2.log ./foreman-debug-2nCVG/var/log/foreman-installer/satellite.3.log Sample entry of keystore passwords being captured (I have used XXXXXX to mask password) [DEBUG 2016-07-28 14:24:13 main] Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12' The following keystore files were also collected by foreman-debug, the private keystore files are most concerning: ./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/prdl110.rtdomau.local.pem ./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/ca.pem ./foreman-debug-2nCVG/etc/foreman/client_cert.pem ./foreman-debug-2nCVG/etc/foreman/client_key.pem ./foreman-debug-2nCVG/etc/foreman/proxy_ca.pem ./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_ca.pem ./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_cert.pem ./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_key.pem ./foreman-debug-2nCVG/etc/foreman-proxy/ssl_ca.pem ./foreman-debug-2nCVG/etc/foreman-proxy/ssl_cert.pem ./foreman-debug-2nCVG/etc/foreman-proxy/ssl_key.pem *** Bug 1247120 has been marked as a duplicate of this bug. *** Making this BZ public, this was scored as low by the RSRT: https://bugzilla.redhat.com/show_bug.cgi?id=1406384 Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17005 has been resolved. Failed verification. Version tested: foreman-1.15.2-1.el7sat.noarch foreman-debug-1.15.2-1.el7sat.noarch satellite-6.3.0-16.0.beta.el7sat.noarch Proxy private keys are still stored in the tarball as you can see: foreman-debug-gw3Zd/etc/foreman-proxy/foreman_ssl_key.pem foreman-debug-gw3Zd/etc/foreman-proxy/ssl_key.pem Passwords are protected by substituting them by +FILTERED+. Fixed in redmine http://projects.theforeman.org/issues/20539 . Thanks. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336 |