Bug 1617894
| Summary: | Auth plugins leave passwords in the access log and audit log using REST | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Amol K <akahat> | ||||
| Component: | pki-core | Assignee: | Dinesh Prasanth <dmoluguw> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> | ||||
| Priority: | high | ||||||
| Version: | 7.6 | CC: | ascheel, cfu, cpelland, dmoluguw, edewata, jmagne, mharmsen, msauton, nkinder | ||||
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pki-core-10.5.16-2.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
.The Certificate System REST API no longer stores clear text passwords in log files
Previously, the Certificate System REST API did not filter out plain password values. As a consequence, passwords were visible in clear text in log files. With this update, the server replaces password attribute values with "(sensitive)". As a result, clear text passwords are no longer visible in logs.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 1645263 (view as bug list) | Environment: | |||||
| Last Closed: | 2019-08-06 13:07:17 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1645263 | ||||||
| Attachments: |
|
||||||
|
Description
Amol K
2018-08-16 05:58:22 UTC
Per PKI Team meeting, reassigning to dmoluguw (ascheel to help) Fixed in PR: https://github.com/dogtagpki/pki/pull/57 Steps to reproduce: As mentioned by the OP Fixed Output: # grep -ir 'secret.123' /var/log/pki ; echo $? 1 # grep -ir '(sensitive)' /var/log/pki ; echo $? /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit:0.http-bio-8443-exec-1 - [01/Oct/2018:10:40:03 EDT] [14] [6] [AuditEvent=CONFIG_AUTH][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;instance+Operation;;OP_ADD+Resource;;plug502+implName;;UidPwdDirAuth+ldap.ldapconn.host;;localhost.localdomain+dnpattern;;uid=caadmin,ou=people+ldapStringAttributes;;mail+ldap.ldapconn.version;;3+ldap.ldapconn.port;;389+ldap.maxConns;;10+ldap.basedn;;dc=ca,dc=pki,dc=example,dc=com+ldap.minConns;;3+ldap.ldapconn.secureConn;;false+ldapByteAttributes;;uid+ldap.password;;(sensitive)+ldap.ldapauth.authtype;;BasicAuth+ldap.ldapauth.bindDN;;cn=Directory Manager] authentication configuration parameter(s) change /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit:0.http-bio-8443-exec-8 - [01/Oct/2018:10:42:14 EDT] [14] [6] [AuditEvent=CONFIG_AUTH][SubjectID=caadmin][Outcome=Failure][ParamNameValPairs=Scope;;instance+Operation;;OP_ADD+Resource;;plug502+implName;;UidPwdDirAuth+ldap.ldapconn.host;;localhost.localdomain+dnpattern;;uid=caadmin,ou=people+ldapStringAttributes;;mail+ldap.ldapconn.version;;3+ldap.ldapconn.port;;389+ldap.maxConns;;10+ldap.basedn;;dc=ca,dc=pki,dc=example,dc=com+ldap.minConns;;3+ldap.ldapconn.secureConn;;false+ldapByteAttributes;;uid+ldap.password;;(sensitive)+ldap.ldapauth.authtype;;BasicAuth+ldap.ldapauth.bindDN;;cn=Directory Manager] authentication configuration parameter(s) change /var/log/pki/pki-tomcat/ca/debug:[01/Oct/2018:10:40:03][http-bio-8443-exec-1]: AdminServlet::service() param name='ldap.password' value='(sensitive)' /var/log/pki/pki-tomcat/ca/debug:[01/Oct/2018:10:41:25][http-bio-8443-exec-3]: AdminServlet::service() param name='ldap.password' value='(sensitive)' /var/log/pki/pki-tomcat/ca/debug:[01/Oct/2018:10:41:30][http-bio-8443-exec-6]: AdminServlet::service() param name='ldap.password' value='(sensitive)' /var/log/pki/pki-tomcat/ca/debug:[01/Oct/2018:10:42:14][http-bio-8443-exec-8]: AdminServlet::service() param name='ldap.password' value='(sensitive)' /var/log/pki/pki-tomcat/ca/debug:[01/Oct/2018:10:42:22][http-bio-8443-exec-10]: AdminServlet::service() param name='ldap.password' value='(sensitive)' /var/log/pki/pki-tomcat/ca/debug:[01/Oct/2018:10:42:27][http-bio-8443-exec-18]: AdminServlet::service() param name='ldap.password' value='(sensitive)' /var/log/pki/pki-tomcat/ca/debug:[01/Oct/2018:10:42:31][http-bio-8443-exec-20]: AdminServlet::service() param name='ldap.password' value='(sensitive)' 0 DOGTAG_10_5_BRANCH:
commit cc2b50fac7542476aef222ab5f1d49d86e38cba1
Author: Dinesh Prasanth M K <SilleBille.github.com>
Date: Mon Oct 1 16:25:08 2018 -0400
Fixes password leak of Auth plugins to Audit Logs (#57)
* Auth plugin adds `(sensitive)` instead of plain passwords
to AuditLogs
* Added generic `isSensitive()` to identify Passwords before logging
Signed-off-by: Dinesh Prasanth M K <dmoluguw>
Created attachment 1579462 [details]
Auth plugin add using python
Hi Dinesh, I found some strange behaviour with curl and Python script. - If I use curl request, I didn't saw any passwords in the access logs. - If I use python script, I could see the passwords in the access logs. As per the suggestions from Alex, I'm not able to see the passwords in the access logs with post request. Build: 10.5.16-2.el7 Verifying this bugzilla. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2228 |