Bug 1785117

Summary: [RFE] Add functionality in foreman logging to hash-out or mark as [FILTERED] the password in /var/log/foreman-maintain/foreman-maintain.log and /var/log/foreman-installer/satellite.log file
Product: Red Hat Satellite Reporter: Kaushik Sajjan Agarwal <kagarwal>
Component: InstallationAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Devendra Singh <desingh>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.6.0CC: bshahu, egolov, lzap, pmoravec, roarora
Target Milestone: 6.8.0Keywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-2.0.0-0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1847951 (view as bug list) Environment:
Last Closed: 2020-10-27 12:59:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Sajjan Agarwal 2019-12-19 08:05:39 UTC 
Description of problem:
    -  Satellite log files (/var/log/foreman-maintain/foreman-maintain.log and /var/log/foreman-installer/satellite.log) captures password in plain text:

      /var/log/foreman-maintain/foreman-maintain.log
      [33m/usr/share/candlepin/cpdb --update --database '//localhost/candlepin' --user 'candlepin' --password 'XXXXXXXXXXXXXXXXXXX' finished successfully!

      /var/log/foreman-installer/satellite.log
      Example entries:
      [DEBUG 2019-12-15T11:xx:54 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass XXXXXXXXXXXXXXXXXX -alias amqp-client'
      [DEBUG 2019-12-15T11:29:54 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]: 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXX -srcstorepass YYYYYYYYYYYYYYYYY -noprompt && rm /tmp/keystore.p12' won't be executed because of failed check 'unless'
      [DEBUG 2019-12-15T11:29:15 main]    proxy_password = XXXXXXXXXXXXX


Version-Release number of selected component (if applicable): NA


Steps to Reproduce RFE:
1. Checked entries in /var/log/foreman-maintain/foreman-maintain.log and /var/log/foreman-installer/satellite.log

Actual results:

 /var/log/foreman-maintain/foreman-maintain.log
      [33m/usr/share/candlepin/cpdb --update --database '//localhost/candlepin' --user 'candlepin' --password 'XXXXXXXXXXXXXXXXXXX' finished successfully!

      /var/log/foreman-installer/satellite.log
      Example entries:
      [DEBUG 2019-12-15T11:xx:54 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass XXXXXXXXXXXXXXXXXX -alias amqp-client'
      [DEBUG 2019-12-15T11:29:54 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]: 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXX -srcstorepass YYYYYYYYYYYYYYYYY -noprompt && rm /tmp/keystore.p12' won't be executed because of failed check 'unless'
      [DEBUG 2019-12-15T11:29:15 main]    proxy_password = XXXXXXXXXXXXX


Expected results:

Passwords in the log file should not be stored in plain text as it becomes a major security threat.
Comment 4 Bryan Kearney 2019-12-20 11:05:28 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28553 has been resolved.
Comment 5 Pavel Moravec 2019-12-20 22:15:42 UTC 
sosreport needs a fix like:

diff --git a/sos/plugins/foreman.py b/sos/plugins/foreman.py
index c1546eae..41f7986a 100644
--- a/sos/plugins/foreman.py
+++ b/sos/plugins/foreman.py
@@ -241,8 +241,8 @@ class Foreman(Plugin):
         return _dbcmd % (self.dbhost, csvformat, quote(query))
 
     def postproc(self):
-        satreg = r"((foreman.*)?(\"::(foreman(.*?)|katello).*)?(::(.*)::.*" \
-              r"(passw|cred|token|secret|key).*(\")?:))(.*)"
+        satreg = r"((foreman.*)?(\"::(foreman(.*?)|katello).*)?((::(.*)::.*" \
+              r"(passw|cred|token|secret|key).*(\")?:)|(storepass )))(.*)"
         self.do_path_regex_sub(
             "/var/log/foreman-installer/sat*",
             satreg,
@@ -265,7 +265,7 @@ class Foreman(Plugin):
             r"\1********")
         self.do_path_regex_sub(
             "/var/log/foreman-maintain/foreman-maintain.log*",
-            r"((passw|cred|token|secret)=)(.*)",
+            r"(((passw|cred|token|secret)=)|(password ))(.*)",
             r"\1********")
         self.do_path_regex_sub(
             "/var/log/%s*/foreman-ssl_access_ssl.log*" % self.apachepkg,


Will clone BZ to sos and raise upstream PR for it.
Comment 7 Lukas Zapletal 2020-01-07 14:50:50 UTC 
If the concern is the installer, then I am changing to it. I think there is some filtering mechanism in KAFO.
Comment 9 Bryan Kearney 2020-01-07 15:07:56 UTC 
Upstream bug assigned to lzap
Comment 10 Bryan Kearney 2020-01-07 15:08:02 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28553 has been resolved.
Comment 16 Devendra Singh 2020-06-17 12:48:23 UTC 
Build Version: 6.8 Snap4

Verification point:

* Collected the foreman-debug logs
* Checked the satellite.log, foreman-maintain log, and observed all the passwords replaced with FILTERED

Exec[candlepin-generate-ssl-keystore](provider=posix): Executing check 'keytool -list -keystore /etc/candlepin/certs/keystore -storepass +FILTERED+ -alias tomcat | grep $(openssl x509 -noout -fingerprint -in /etc/pki/katello/certs/katello-tomcat.crt | cut -d '=' -f 2)'
[DEBUG 2020-06-15T05:58:39 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/keystore -storepass +FILTERED+ -alias tomcat | grep $(openssl x509 -noout -fingerprint -in /etc/pki/katello/certs/katello-tomcat.crt | cut -d '=' -f 2)'
[DEBUG 2020-06-15T05:58:40 main]  Exec[import CA into Candlepin truststore](provider=posix): Executing check 'keytool -list -keystore /etc/candlepin/certs/keystore -storepass +FILTERED+ -alias candlepin-ca'
satellite.6.log:[DEBUG 2020-06-15T05:58:40 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/keystore -storepass +FILTERED+ -alias candlepin-ca'
Adding relationship from Exec[generate-nss-password+FILTERED+ to File[/etc/pki/katello/nssdb/nss_db_password+FILTERED+ with 'before'
Adding relationship from File[/etc/pki/katello/nssdb/nss_db_password+FILTERED+ to Exec[create-nss-db] with 'before'
/File[/etc/pki/katello/keystore_password+FILTERED+ Found seluser default 'system_u' for /etc/pki/katello/keystore_password+FILTERED+
/File[/etc/pki/katello/keystore_password+FILTERED+ Found selrole default 'object_r' for /etc/pki/katello/keystore_password+FILTERED+
/File[/etc/pki/katello/keystore_password+FILTERED+ Found seltype default 'cert_t' for /etc/pki/katello/keystore_password+FILTERED+
/File[/etc/pki/katello/keystore_password+FILTERED+ Found selrange default 's0' for /etc/pki/katello/keystore_password+FILTERED+
/File[/etc/pki/katello/nssdb/nss_db_password+FILTERED+ Found seluser default 'system_u' for /etc/pki/katello/nssdb/nss_db_password+FILTERED+
/File[/etc/pki/katello/nssdb/nss_db_password+FILTERED+ Found selrole default 'object_r' for /etc/pki/katello/nssdb/nss_db_password+FILTERED+
/File[/etc/pki/katello/nssdb/nss_db_password+FILTERED+ Found seltype default 'cert_t' for /etc/pki/katello/nssdb/nss_db_password+FILTERED+
/File[/etc/pki/katello/nssdb/nss_db_password+FILTERED+ Found selrange default 's0' for /etc/pki/katello/nssdb/nss_db_password+FILTERE

foreman-maintain.log

s::Katello::Host::HypervisorsUpdate','Actions::Foreman::Host::ImportFacts','Actions::Candlepin::ListenOnCandlepinEvents','Actions::Katello::EventQueue::Monitor')\n) TO STDOUT WITH CSV HEADER"
DEBUG -- : Running command PGPASSWORD=+FILTERED+ psql -h localhost  -p 5432 -U foreman -d foreman with stdin "SELECT 1 as ping"
DEBUG -- : Running command PGPASSWORD=+FILTERED+ psql -h localhost  -p 5432 -U foreman -d foreman with stdin "COPY (     SELECT count(*) AS count FROM foreman_tasks_tasks WHERE foreman_tasks_tasks.state = 'planning' AND foreman_tasks_tasks.label IN ('Actions::Katello::Host::GenerateApplicability','Actions::Katello::RepositorySet::ScanCdn','Actions::Katello::Host::Hypervisors','Actions::Katello::Host::HypervisorsUpdate','Actions::Foreman::Host::ImportFacts','Actions::Candlepin::ListenOnCandlepinEvents','Actions::Katello::EventQueue::Monitor')\n) TO STDOUT WITH CSV HEADER"
DEBUG -- : Running command PGPASSWORD=+FILTERED+ psql -h localhost  -p 5432 -U foreman -d foreman with stdin "SELECT 1 as ping"
DEBUG -- : Running command PGPASSWORD=+FILTERED+ psql -h localhost  -p 5432 -U foreman -d foreman with stdin "COPY (          SELECT DISTINCT first.filter_id,\n
Comment 18 Pavel Moravec 2020-06-17 13:26:50 UTC 
I can confirm that sos-3.9-2 (a candidate build for RHEL7.9) will scrub the passwords the same way:

# grep password /var/tmp/sosreport-pmoravec-sat66-on-rhev-2020-06-17-kjrzxin/var/log/foreman-maintain/foreman-maintain.log
--driver=org.postgresql.Driver --classpath=/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/postgresql-42.2.2.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-update.xml --url=jdbc:postgresql://localhost/candlepin --username=$DBUSERNAME --password=$DBPASSWORD --logLevel=severe
/usr/share/candlepin/cpdb --update --database '//localhost/candlepin' --user 'candlepin' --password ********
Installing             Done                                               [100%] [...........................................................................................................]
--driver=org.postgresql.Driver --classpath=/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/postgresql-42.2.2.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-validate.xml --url=jdbc:postgresql://localhost:5432/candlepin --username=$DBUSERNAME --password=$DBPASSWORD --logLevel=debug
--driver=org.postgresql.Driver --classpath=/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/postgresql-42.2.2.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-update.xml --url=jdbc:postgresql://localhost/candlepin --username=$DBUSERNAME --password=$DBPASSWORD --logLevel=severe
/usr/share/candlepin/cpdb --update --database '//localhost/candlepin' --user 'candlepin' --password ********
Installing             Done                                               [100%] [...........................................................................................................]
--driver=org.postgresql.Driver --classpath=/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/postgresql-42.2.2.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-validate.xml --url=jdbc:postgresql://localhost:5432/candlepin --username=$DBUSERNAME --password=$DBPASSWORD --logLevel=debug
--driver=org.postgresql.Driver --classpath=/var/lib/tomcat/webapps/candlepin/WEB-INF/lib/postgresql-42.2.2.jar:/var/lib/tomcat/webapps/candlepin/WEB-INF/classes/ --changeLogFile=db/changelog/changelog-update.xml --url=jdbc:postgresql://localhost/candlepin --username=$DBUSERNAME --password=$DBPASSWORD --logLevel=severe
/usr/share/candlepin/cpdb --update --database '//localhost/candlepin' --user 'candlepin' --password ********
#

and:

# grep storepass /var/tmp/sosreport-pmoravec-sat66-on-rhev-2020-06-17-kjrzxin/var/log/foreman-installer/satellite.log
[DEBUG 2020-06-17T12:23:20 main]  Exec[import CA into Candlepin truststore](provider=posix): Executing check 'keytool -list -keystore /etc/candlepin/certs/keystore -storepass  ********
[DEBUG 2020-06-17T12:23:20 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/keystore -storepass  ********
[DEBUG 2020-06-17T12:23:20 main]  /Stage[main]/Certs::Candlepin/Exec[import CA into Candlepin truststore]: 'keytool -import -trustcacerts -v -keystore /etc/candlepin/certs/keystore -storepass  ********
[DEBUG 2020-06-17T12:23:20 main]  Exec[import CA into Candlepin AMQP truststore](provider=posix): Executing check 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.truststore -storepass  ********
[DEBUG 2020-06-17T12:23:20 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.truststore -storepass  ********
[DEBUG 2020-06-17T12:23:20 main]  /Stage[main]/Certs::Candlepin/Exec[import CA into Candlepin AMQP truststore]: 'keytool -import -v -keystore /etc/candlepin/certs/amqp/candlepin.truststore -storepass  ********
[DEBUG 2020-06-17T12:23:20 main]  Exec[import client certificate into Candlepin keystore](provider=posix): Executing check 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass  ********
[DEBUG 2020-06-17T12:23:20 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass  ********
[DEBUG 2020-06-17T12:23:21 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]: 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass  ********
#
Comment 19 Pavel Moravec 2020-07-03 12:51:43 UTC 
Hello,
in cloned 1785813, we currently figured out that RHEL7.9 candidate build does not obfuscate:

[DEBUG 2019-12-15T11:29:15 main]    proxy_password = XXXXXXXXXXXXX

in /var/log/foreman-installer/satellite* logfiles

These lines appear in an output of "subscription-manager config" command.

We should fix it, for sure. But: same password (rhsm proxy password) was just identified as not obfuscated when collecting /etc/rhsm/rhsm.conf .

Is it sufficient to:
- raise a new BZ to add obfuscations of both places of the proxy_password (such a fix will go to RHEL8.4 only)
- mark this and cloned 1785813 as verified (despite we skip fixing the one string type)

?
Comment 22 errata-xmlrpc 2020-10-27 12:59:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366
Comment 23 Red Hat Bugzilla 2023-09-18 00:19:25 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days