Bug 1370168 – [RFE] Update foreman-debug to by default not disclose confidential passwords and private keys

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1370168 - [RFE] Update foreman-debug to by default not disclose confidential passwords and private keys

Summary:	[RFE] Update foreman-debug to by default not disclose confidential passwords ...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Satellite 6
Classification:	Red Hat
Component:	Foreman Debug (Show other bugs)
Sub Component:
Version:	6.2.0
Hardware:	x86_64 Linux

Priority	medium Severity medium (vote)
Target Milestone:	GA
Target Release:	Unused
Assigned To:	Lukas Zapletal
QA Contact:	Ales Dujicek
Docs Contact:

URL:	http://projects.theforeman.org/issues...
Whiteboard:
Keywords:	FutureFeature, Triaged

Duplicates:	1247120 (view as bug list)
Depends On:
Blocks:	CVE-2016-9593
	Show dependency tree / graph

Reported:	2016-08-25 08:33 EDT by Preetesh Sharma
Modified:	2018-02-21 07:35 EST (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	foreman-proxy-1.15.4-1
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-02-21 07:35:52 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	17005	None	None	None	2016-10-19 04:02 EDT
Foreman Issue Tracker	20539	None	None	None	2017-08-10 07:12 EDT
Red Hat Product Errata	RHSA-2018:0336	normal	SHIPPED_LIVE	Important: Satellite 6.3 security, bug fix, and enhancement update	2018-02-21 17:43:42 EST

Groups: None (edit)

Description Preetesh Sharma 2016-08-25 08:33:51 EDT

1. Proposed title of this feature request
- Update foreman-debug to by default not disclose confidential passwords and private keys (collection of this data should be an explicit option)

2. What is the nature and description of the request? 
- foreman-debug by default collects passwords and private keys.  This data is seldom required in support cases and customers should explicitly opt in to divulge this information if required by Red Hat support.

3. Why do you need this? (List the business requirements here)
- Enterprises should not divulge confidential passwords and keys to 3rd parties unless explicitly required. This is just good security practice.

5. How would you like to achieve this? (List the functional requirements here)
- foreman debug should by default obfuscate passwords and not collect private keys.
- Add command line option to foreman-debug command to collect password details and private keys if required by Red Hat support. 

6.  For each functional requirement listed, specify how Red Hat and you can  test to confirm the requirement is successfully implemented.  
- grep through collected data for password variables/test passwords to confirm data is obfuscated
- search for .pem files

7. Does you have any specific timeline dependencies and which release would they like to target (i.e. RHEL6, RHEL7)? 
No

8. List any affected packages or components.
foreman-debug

9. Would you be able to assist in testing this functionality if implemented?" 
Yes

Comment 1 Lukas Zapletal 2016-09-06 08:37:03 EDT

Thanks for the report, this is regression from the last time we have reviewed it.

Original report:

Executing a foreman-debug (foreman-debug-1.11.0.51-1.el7sat.noarch) I noticed it captured the following files containing passwords:

./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160728-13519-17pu8qt/default_values.yaml
./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160816-116632-pc8k5j/default_values.yaml

Sample entry (I have used XXXXXX to mask password)

  "capsule::params::pulp_admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::db_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "foreman_proxy::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXX
  "foreman_proxy::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXX
  "katello::params::oauth_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  "katello::params::post_sync_token": XXXXXXXXXXXXXXXXXXXXXXXXXXX


The following log files captured also contained passwords:

./foreman-debug-2nCVG/var/log/foreman-installer/satellite.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.2.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.3.log

Sample entry of keystore passwords being captured (I have used XXXXXX to mask password)

[DEBUG 2016-07-28 14:24:13 main]  Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12'


The following keystore files were also collected by foreman-debug, the private keystore files are most concerning:

./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/prdl110.rtdomau.local.pem
./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/ca.pem
./foreman-debug-2nCVG/etc/foreman/client_cert.pem
./foreman-debug-2nCVG/etc/foreman/client_key.pem
./foreman-debug-2nCVG/etc/foreman/proxy_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_key.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_key.pem

Comment 4 Marek Hulan 2016-12-22 04:15:26 EST

*** Bug 1247120 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Zapletal 2016-12-22 04:20:20 EST

Making this BZ public, this was scored as low by the RSRT: https://bugzilla.redhat.com/show_bug.cgi?id=1406384

Comment 6 pm-sat@redhat.com 2017-02-02 06:05:43 EST

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17005 has been resolved.

Comment 7 Daniel Lobato Garcia 2017-08-09 07:05:56 EDT

Failed verification.

Version tested:

foreman-1.15.2-1.el7sat.noarch
foreman-debug-1.15.2-1.el7sat.noarch
satellite-6.3.0-16.0.beta.el7sat.noarch

Proxy private keys are still stored in the tarball as you can see:

foreman-debug-gw3Zd/etc/foreman-proxy/foreman_ssl_key.pem
foreman-debug-gw3Zd/etc/foreman-proxy/ssl_key.pem

Passwords are protected by substituting them by +FILTERED+.

Comment 8 Lukas Zapletal 2017-08-10 07:12:59 EDT

Fixed in redmine http://projects.theforeman.org/issues/20539 . Thanks.

Comment 14 errata-xmlrpc 2018-02-21 07:35:52 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.