Bug 1387772
| Summary: | trace args debug logging must be more restrictive | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Noriko Hosoi <nhosoi> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | unspecified | ||
| Version: | 6.0 | CC: | nhosoi, nkinder, rmeggins, spichugi |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.2.11.15-84.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Directory Server no longer logs sensitive information
Previously, when the "Trace function calls" option was enabled in the "nsslapd-errorlog-level" parameter, Directory Server logged all attributes into the error log file, including attributes containing sensitive information. A patch has been applied to filter out values of sensitive attributes. As a result, Directory Server no longer logs sensitive information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-21 10:23:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Noriko Hosoi
2016-10-21 20:13:01 UTC
Build tested: 389-ds-base-1.2.11.15-85.el6.x86_64 Verification steps: [1] Set up MMR. [2] Add a user entry, - uid=tuser,dc=example,dc=com [root@qeos-66 dirsrvtests]# ldapsearch -h localhost -p 38941 -D "cn=directory manager" -w password -b "uid=tuser,dc=example,dc=com" dn: uid=tuser,dc=example,dc=com cn: tuser objectClass: inetorgperson objectClass: organizationalPerson objectClass: person objectClass: top sn: tuser mail: tuser uid: tuser userPassword:: e1NTSEF9NXVya1cwcmt4MEliTnBDR0FtVUlGdmMrZnpnakdpdFJOL3dkTlE9PQ= = [3] Enable the trace level error log on both masters. 1 — Trace function calls. Logs a message when the server enters and exits a function. 4 — Heavy trace output debugging. 16384 — default [root@qeos-66 dirsrvtests]# ldapmodify -h localhost -p 38941 -D "cn=directory manager" -w password dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 16389 modifying entry "cn=config" [root@qeos-66 dirsrvtests]# ldapmodify -h localhost -p 38942 -D "cn=directory manager" -w password dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 16389 modifying entry "cn=config" [4] Modify the userPassword of the user entry, uid=tuser,dc=example,dc=com [root@qeos-66 dirsrvtests]# ldapmodify -h localhost -p 38941 -D "cn=directory manager" -w password dn: uid=tuser,dc=example,dc=com changetype: modify delete: userpassword modifying entry "uid=tuser,dc=example,dc=com" dn: uid=tuser,dc=example,dc=com changetype: modify add: userpassword userpassword: newpass modifying entry "uid=tuser,dc=example,dc=com" dn: uid=tuser,dc=example,dc=com changetype: modify replace: userpassword userpassword: newnewpass modifying entry "uid=tuser,dc=example,dc=com" [5] Grep the error log with "unhashed#user#password" as well as the password string. [root@qeos-66 ds]# grep "unhashed#user#password" /var/log/dirsrv/slapd-master_2/errors [06/Dec/2016:12:42:21 -0500] - add: unhashed#user#password [06/Dec/2016:12:42:21 -0500] - add: unhashed#user#password [06/Dec/2016:12:42:21 -0500] - => index_addordel_values_ext_sv( "unhashed#user#password", 12 ) [06/Dec/2016:12:42:26 -0500] - replace: unhashed#user#password [06/Dec/2016:12:42:26 -0500] - replace: unhashed#user#password [06/Dec/2016:12:42:26 -0500] - removing entire attribute unhashed#user#password [06/Dec/2016:12:42:26 -0500] - => index_addordel_values_ext_sv( "unhashed#user#password", 12 ) [06/Dec/2016:12:42:26 -0500] - => index_addordel_values_ext_sv( "unhashed#user#password", 12 ) [root@qeos-66 ds]# grep "unhashed#user#password" /var/log/dirsrv/slapd-master_1/errors [06/Dec/2016:12:42:21 -0500] - add: unhashed#user#password [06/Dec/2016:12:42:21 -0500] - => index_addordel_values_ext_sv( "unhashed#user#password", 12 ) [06/Dec/2016:12:42:26 -0500] - replace: unhashed#user#password [06/Dec/2016:12:42:26 -0500] - removing entire attribute unhashed#user#password [06/Dec/2016:12:42:26 -0500] - => index_addordel_values_ext_sv( "unhashed#user#password", 12 ) [06/Dec/2016:12:42:26 -0500] - => index_addordel_values_ext_sv( "unhashed#user#password", 12 ) ce: unhashed#user#password There is no plain text password. Marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0667.html |