1. Proposed title of this feature request
- Update foreman-debug to by default not disclose confidential passwords and private keys (collection of this data should be an explicit option)
2. What is the nature and description of the request?
- foreman-debug by default collects passwords and private keys. This data is seldom required in support cases and customers should explicitly opt in to divulge this information if required by Red Hat support.
3. Why do you need this? (List the business requirements here)
- Enterprises should not divulge confidential passwords and keys to 3rd parties unless explicitly required. This is just good security practice.
5. How would you like to achieve this? (List the functional requirements here)
- foreman debug should by default obfuscate passwords and not collect private keys.
- Add command line option to foreman-debug command to collect password details and private keys if required by Red Hat support.
6. For each functional requirement listed, specify how Red Hat and you can test to confirm the requirement is successfully implemented.
- grep through collected data for password variables/test passwords to confirm data is obfuscated
- search for .pem files
7. Does you have any specific timeline dependencies and which release would they like to target (i.e. RHEL6, RHEL7)?
8. List any affected packages or components.
9. Would you be able to assist in testing this functionality if implemented?"
Thanks for the report, this is regression from the last time we have reviewed it.
Executing a foreman-debug (foreman-debug-126.96.36.199-1.el7sat.noarch) I noticed it captured the following files containing passwords:
Sample entry (I have used XXXXXX to mask password)
The following log files captured also contained passwords:
Sample entry of keystore passwords being captured (I have used XXXXXX to mask password)
[DEBUG 2016-07-28 14:24:13 main] Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12'
The following keystore files were also collected by foreman-debug, the private keystore files are most concerning:
*** Bug 1247120 has been marked as a duplicate of this bug. ***
Making this BZ public, this was scored as low by the RSRT: https://bugzilla.redhat.com/show_bug.cgi?id=1406384
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17005 has been resolved.
Proxy private keys are still stored in the tarball as you can see:
Passwords are protected by substituting them by +FILTERED+.
Fixed in redmine http://projects.theforeman.org/issues/20539 . Thanks.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.