Bug 830256
Summary: | Audit log - clear text password in user changes | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Noriko Hosoi <nhosoi> | |
Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> | |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 6.4 | CC: | amsharma, ckannan, jgalipea, jwest, shaines, sramling | |
Target Milestone: | rc | Keywords: | Security, SecurityTracking, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | 389-ds-base-1.2.11.12-1.el6 | Doc Type: | Bug Fix | |
Doc Text: |
Cause: Enabling audit logging and performing a password change operation using the clear text password.
Consequence: The clear text password is logged in the audit log in the unhashed#user#password attribute.
Fix: Added a nsslapd-audit-logging-hide-unhashed-pw configuration attribute. If this attribute is "on", the clear text password is logged, otherwise, it is not. The default is "off" - do not log the password.
Result: By default, no clear text password is logged. User can choose to log it and take appropriate security measures.
|
Story Points: | --- | |
Clone Of: | ||||
: | 830319 (view as bug list) | Environment: | ||
Last Closed: | 2013-02-21 08:17:18 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 830319, 830889, 833482 |
Description
Noriko Hosoi
2012-06-08 16:27:01 UTC
[root@dhcp201-194 6.0]# rpm -qa | grep 389 389-ds-base-1.2.10.2-17.el6_3.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-adminutil-1.1.14-1.el6.x86_64 389-ds-base-debuginfo-1.2.10.2-17.el6_3.x86_64 389-admin-1.1.25-1.el6.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-admin-debuginfo-1.1.25-1.el6.x86_64 389-ds-base-libs-1.2.10.2-17.el6_3.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-console-1.1.7-1.el6.noarch 389-adminutil-devel-1.1.14-1.el6.x86_64 389-ds-base-devel-1.2.10.2-17.el6_3.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-adminutil-debuginfo-1.1.14-1.el6.x86_64 quickinstall startup 100% (2/2) Basic run 100% (49/49) QuickUninstall cleanup 100% (1/1) This issue has been given the name CVE-2012-2746 and is being handled as a security flaw (see bug #833482). This bug was verified with the RHEL 6.3 branch, but not yet with the RHEL 6.4 branch, setting it back to ON_QA RHEL64 official acceptance tests for basic tests is 100% PASS. Hence marking the bug as Verified. ############## Result for backend test : Basic run Basic run elapse time : 00:04:06 Basic run Tests PASS : 100% (55/55) ----------------------------------------------- add an user uid=u365 adding new entry uid=u365,o=airius.com adding an entry u365: OK modifying entry uid=u365,o=airius.com replacing userpassword of an entry u365: OK check audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit grep u365 /var/log/dirsrv/slapd-dell-pe2800-01/audit dn: uid=u365,o=airius.com uid: u365 dn: uid=u365,o=airius.com dn: uid=u365,o=airius.com Found u365 in /var/log/dirsrv/slapd-dell-pe2800-01/audit audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include unhashed#user#password audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include clear password: newtuser0 disabling audig log modifying entry cn=config disabling audig log: OK TestCase [trac365] result-> [PASS] Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0503.html |