Bug 830256

Summary: Audit log - clear text password in user changes
Product: Red Hat Enterprise Linux 6 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: amsharma, ckannan, jgalipea, jwest, shaines, sramling
Target Milestone: rcKeywords: Security, SecurityTracking, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.12-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Enabling audit logging and performing a password change operation using the clear text password. Consequence: The clear text password is logged in the audit log in the unhashed#user#password attribute. Fix: Added a nsslapd-audit-logging-hide-unhashed-pw configuration attribute. If this attribute is "on", the clear text password is logged, otherwise, it is not. The default is "off" - do not log the password. Result: By default, no clear text password is logged. User can choose to log it and take appropriate security measures.
Story Points: ---
Clone Of:
: 830319 (view as bug list) Environment:
Last Closed: 2013-02-21 08:17:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 830319, 830889, 833482    

Description Noriko Hosoi 2012-06-08 16:27:01 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/365

I have an 389 DS (version 1.2.10.4)  with AD replication and I enabled 
the audit log, but when I change a user password, shows the unhashed 
password in the audit log file:

> time: 20120404113336
> dn: uid=alberto.viana,OU=G,OU=RJ,dc=my,dc=domain
> changetype: modify
> replace: userPassword
> userPassword: {SSHA}bqBSVbLJpqKCujEC2JC4ysaUUJuTsFe87AoPsQ==
> -
> replace: modifiersname
> modifiersname: 
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>  t
> -
> replace: modifytimestamp
> modifytimestamp: 20120404143336Z
> -
> replace: unhashed#user#password
> unhashed#user#password: maisumteste
> -
>
I Already know that is the expected behavior. Is there any way to disable it?

Because I need the audit log but i dont want to show up userĀ“s password in the log file.

Comment 5 Amita Sharma 2012-06-12 13:08:09 UTC
[root@dhcp201-194 6.0]# rpm -qa | grep 389
389-ds-base-1.2.10.2-17.el6_3.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.14-1.el6.x86_64
389-ds-base-debuginfo-1.2.10.2-17.el6_3.x86_64
389-admin-1.1.25-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-admin-debuginfo-1.1.25-1.el6.x86_64
389-ds-base-libs-1.2.10.2-17.el6_3.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-adminutil-devel-1.1.14-1.el6.x86_64
389-ds-base-devel-1.2.10.2-17.el6_3.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-adminutil-debuginfo-1.1.14-1.el6.x86_64

quickinstall startup 	100% (2/2) 	  	 
Basic run 	100% (49/49) 	  	 
QuickUninstall cleanup 	100% (1/1)

Comment 6 Vincent Danen 2012-06-19 15:08:01 UTC
This issue has been given the name CVE-2012-2746 and is being handled as a security flaw (see bug #833482).

Comment 7 Jenny Severance 2012-11-19 17:53:38 UTC
This bug was verified with the RHEL 6.3 branch, but not yet with the RHEL 6.4 branch, setting it back to ON_QA

Comment 8 Sankar Ramalingam 2012-11-20 02:00:53 UTC
RHEL64 official acceptance tests for basic tests is 100% PASS. Hence marking the bug as Verified.

############## Result  for  backend test :   Basic run
    Basic run elapse time : 00:04:06
    Basic run Tests PASS      : 100% (55/55)
-----------------------------------------------
add an user uid=u365
adding new entry uid=u365,o=airius.com

adding an entry u365: OK
modifying entry uid=u365,o=airius.com

replacing userpassword of an entry u365: OK
check audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit
grep u365 /var/log/dirsrv/slapd-dell-pe2800-01/audit
dn: uid=u365,o=airius.com
uid: u365
dn: uid=u365,o=airius.com
dn: uid=u365,o=airius.com
Found u365 in /var/log/dirsrv/slapd-dell-pe2800-01/audit
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include unhashed#user#password
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include clear password: newtuser0
disabling audig log
modifying entry cn=config

disabling audig log: OK
TestCase [trac365] result-> [PASS]

Comment 10 errata-xmlrpc 2013-02-21 08:17:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html