Bug 1370168 - [RFE] Update foreman-debug to by default not disclose confidential passwords and private keys
Summary: [RFE] Update foreman-debug to by default not disclose confidential passwords ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Foreman Debug
Version: 6.2.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Ales Dujicek
URL: http://projects.theforeman.org/issues...
Whiteboard:
: 1247120 (view as bug list)
Depends On:
Blocks: CVE-2016-9593
TreeView+ depends on / blocked
 
Reported: 2016-08-25 12:33 UTC by Preetesh Sharma
Modified: 2019-08-12 16:06 UTC (History)
8 users (show)

Fixed In Version: foreman-proxy-1.15.4-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 12:35:52 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 17005 None None None 2016-10-19 08:02:27 UTC
Foreman Issue Tracker 20539 None None None 2017-08-10 11:12:58 UTC
Red Hat Product Errata RHSA-2018:0336 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC

Description Preetesh Sharma 2016-08-25 12:33:51 UTC
1. Proposed title of this feature request
- Update foreman-debug to by default not disclose confidential passwords and private keys (collection of this data should be an explicit option)

2. What is the nature and description of the request? 
- foreman-debug by default collects passwords and private keys.  This data is seldom required in support cases and customers should explicitly opt in to divulge this information if required by Red Hat support.

3. Why do you need this? (List the business requirements here)
- Enterprises should not divulge confidential passwords and keys to 3rd parties unless explicitly required. This is just good security practice.

5. How would you like to achieve this? (List the functional requirements here)
- foreman debug should by default obfuscate passwords and not collect private keys.
- Add command line option to foreman-debug command to collect password details and private keys if required by Red Hat support. 

6.  For each functional requirement listed, specify how Red Hat and you can  test to confirm the requirement is successfully implemented.  
- grep through collected data for password variables/test passwords to confirm data is obfuscated
- search for .pem files

7. Does you have any specific timeline dependencies and which release would they like to target (i.e. RHEL6, RHEL7)? 
No

8. List any affected packages or components.
foreman-debug

9. Would you be able to assist in testing this functionality if implemented?" 
Yes

Comment 1 Lukas Zapletal 2016-09-06 12:37:03 UTC
Thanks for the report, this is regression from the last time we have reviewed it.

Original report:

Executing a foreman-debug (foreman-debug-1.11.0.51-1.el7sat.noarch) I noticed it captured the following files containing passwords:

./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160728-13519-17pu8qt/default_values.yaml
./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160816-116632-pc8k5j/default_values.yaml

Sample entry (I have used XXXXXX to mask password)

  "capsule::params::pulp_admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::db_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "foreman_proxy::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXX
  "foreman_proxy::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXX
  "katello::params::oauth_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  "katello::params::post_sync_token": XXXXXXXXXXXXXXXXXXXXXXXXXXX


The following log files captured also contained passwords:

./foreman-debug-2nCVG/var/log/foreman-installer/satellite.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.2.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.3.log

Sample entry of keystore passwords being captured (I have used XXXXXX to mask password)

[DEBUG 2016-07-28 14:24:13 main]  Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12'


The following keystore files were also collected by foreman-debug, the private keystore files are most concerning:

./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/prdl110.rtdomau.local.pem
./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/ca.pem
./foreman-debug-2nCVG/etc/foreman/client_cert.pem
./foreman-debug-2nCVG/etc/foreman/client_key.pem
./foreman-debug-2nCVG/etc/foreman/proxy_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_key.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_key.pem

Comment 4 Marek Hulan 2016-12-22 09:15:26 UTC
*** Bug 1247120 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Zapletal 2016-12-22 09:20:20 UTC
Making this BZ public, this was scored as low by the RSRT: https://bugzilla.redhat.com/show_bug.cgi?id=1406384

Comment 6 pm-sat@redhat.com 2017-02-02 11:05:43 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17005 has been resolved.

Comment 7 Daniel Lobato Garcia 2017-08-09 11:05:56 UTC
Failed verification.

Version tested:

foreman-1.15.2-1.el7sat.noarch
foreman-debug-1.15.2-1.el7sat.noarch
satellite-6.3.0-16.0.beta.el7sat.noarch

Proxy private keys are still stored in the tarball as you can see:

foreman-debug-gw3Zd/etc/foreman-proxy/foreman_ssl_key.pem
foreman-debug-gw3Zd/etc/foreman-proxy/ssl_key.pem

Passwords are protected by substituting them by +FILTERED+.

Comment 8 Lukas Zapletal 2017-08-10 11:12:59 UTC
Fixed in redmine http://projects.theforeman.org/issues/20539 . Thanks.

Comment 14 errata-xmlrpc 2018-02-21 12:35:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336


Note You need to log in before you can comment on or make changes to this bug.