Bug 830256

Summary: Audit log - clear text password in user changes
Product: Red Hat Enterprise Linux 6 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: amsharma, ckannan, jgalipea, jwest, shaines, sramling
Target Milestone: rcKeywords: Security, SecurityTracking, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: 389-ds-base- Doc Type: Bug Fix
Doc Text:
Cause: Enabling audit logging and performing a password change operation using the clear text password. Consequence: The clear text password is logged in the audit log in the unhashed#user#password attribute. Fix: Added a nsslapd-audit-logging-hide-unhashed-pw configuration attribute. If this attribute is "on", the clear text password is logged, otherwise, it is not. The default is "off" - do not log the password. Result: By default, no clear text password is logged. User can choose to log it and take appropriate security measures.
Story Points: ---
Clone Of:
: 830319 (view as bug list) Environment:
Last Closed: 2013-02-21 03:17:18 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 830319, 830889, 833482    

Description Noriko Hosoi 2012-06-08 12:27:01 EDT
This bug is created as a clone of upstream ticket:

I have an 389 DS (version  with AD replication and I enabled 
the audit log, but when I change a user password, shows the unhashed 
password in the audit log file:

> time: 20120404113336
> dn: uid=alberto.viana,OU=G,OU=RJ,dc=my,dc=domain
> changetype: modify
> replace: userPassword
> userPassword: {SSHA}bqBSVbLJpqKCujEC2JC4ysaUUJuTsFe87AoPsQ==
> -
> replace: modifiersname
> modifiersname: 
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>  t
> -
> replace: modifytimestamp
> modifytimestamp: 20120404143336Z
> -
> replace: unhashed#user#password
> unhashed#user#password: maisumteste
> -
I Already know that is the expected behavior. Is there any way to disable it?

Because I need the audit log but i dont want to show up userĀ“s password in the log file.
Comment 5 Amita Sharma 2012-06-12 09:08:09 EDT
[root@dhcp201-194 6.0]# rpm -qa | grep 389

quickinstall startup 	100% (2/2) 	  	 
Basic run 	100% (49/49) 	  	 
QuickUninstall cleanup 	100% (1/1)
Comment 6 Vincent Danen 2012-06-19 11:08:01 EDT
This issue has been given the name CVE-2012-2746 and is being handled as a security flaw (see bug #833482).
Comment 7 Jenny Galipeau 2012-11-19 12:53:38 EST
This bug was verified with the RHEL 6.3 branch, but not yet with the RHEL 6.4 branch, setting it back to ON_QA
Comment 8 Sankar Ramalingam 2012-11-19 21:00:53 EST
RHEL64 official acceptance tests for basic tests is 100% PASS. Hence marking the bug as Verified.

############## Result  for  backend test :   Basic run
    Basic run elapse time : 00:04:06
    Basic run Tests PASS      : 100% (55/55)
add an user uid=u365
adding new entry uid=u365,o=airius.com

adding an entry u365: OK
modifying entry uid=u365,o=airius.com

replacing userpassword of an entry u365: OK
check audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit
grep u365 /var/log/dirsrv/slapd-dell-pe2800-01/audit
dn: uid=u365,o=airius.com
uid: u365
dn: uid=u365,o=airius.com
dn: uid=u365,o=airius.com
Found u365 in /var/log/dirsrv/slapd-dell-pe2800-01/audit
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include unhashed#user#password
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include clear password: newtuser0
disabling audig log
modifying entry cn=config

disabling audig log: OK
TestCase [trac365] result-> [PASS]
Comment 10 errata-xmlrpc 2013-02-21 03:17:18 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.