Bug 1590565
| Summary: | [RFE] sos IPA module enhancements | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Marco Rhodes <mrhodes> | ||||
| Component: | sos | Assignee: | Pavel Moravec <pmoravec> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Miroslav HradĂlek <mhradile> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5 | CC: | agk, bmr, gavin, mhradile, mrhodes, plambri, sbradley | ||||
| Target Milestone: | rc | Keywords: | FutureFeature, OtherQA | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-11-06 09:36:45 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Thanks for the patch: looks mostly straightforward (although very late for 7.6...). Is there anything potentially sensitive in the CLI logs (or elsewhere)? Hi Marco, our QE can't grant capacity for verification of this (such lately filed) bug in case it will go to 7.6. Could you please verify it yourself once a candidate build will be available, to do OtherQA? (In reply to Bryn M. Reeves from comment #3) > Thanks for the patch: looks mostly straightforward (although very late for > 7.6...). > > Is there anything potentially sensitive in the CLI logs (or elsewhere)? With regard to the IPA CLI log, nothing sensitive there *unless* there is a desire not to expose history and results from the ipa command, which is what this log captures in addition to XML-RPC data. This log is actually discussed in the official documentation -> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/ ~/.ipa/log/cli.log "The log file for errors returned by XML-RPC calls and responses by the ipa utility. Created in the home directory for the system user who runs the tools, who might have a different user name than the IdM user. " No sensitive information is contained within the data related to any of the other proposed changes. (In reply to Pavel Moravec from comment #4) > Hi Marco, > our QE can't grant capacity for verification of this (such lately filed) bug > in case it will go to 7.6. Could you please verify it yourself once a > candidate build will be available, to do OtherQA? Hi Pavel, No problem at all. I've already been testing the changes locally. > With regard to the IPA CLI log, nothing sensitive there
Thanks - only asked as CLI logs sometimes include all command arguments - if these can contain secrets then we need to be able to remove them (e.g. this is why we cannot collect .bash_history - it's totally unstructured and can contain all kinds of sensitives bits & bobs).
Some of the changes are already in upstream, resulting upstream patch is: https://github.com/sosreport/sos/pull/1346 I havent deleted calling "klist -ket /etc/httpd/conf/ipa.keytab" as: - "klist -ket /var/lib/ipa/gssproxy/http.keytab" is already collected - not sure if the "ipa.keytab command" is really ridiculous (i.e. the original change adding the "http.keytab command" might left the "ipa.keytab command" by purpose; in case the command is really redundant, please tell me and I will update my PR) (In reply to Pavel Moravec from comment #8) > Some of the changes are already in upstream, resulting upstream patch is: > > https://github.com/sosreport/sos/pull/1346 > > I havent deleted calling "klist -ket /etc/httpd/conf/ipa.keytab" as: > > - "klist -ket /var/lib/ipa/gssproxy/http.keytab" is already collected > - not sure if the "ipa.keytab command" is really ridiculous (i.e. the > original change adding the "http.keytab command" might left the "ipa.keytab > command" by purpose; in case the command is really redundant, please tell me > and I will update my PR) Actually, http.keytab will only be found on servers with IPA version >= 4.5, where framework privilege separation (gssproxy) was introduced. Earlier versions will still use ipa.keytab, so perhaps we should keep both file paths for now. Great, as the upstream commit didnt deleted it :) https://github.com/sosreport/sos/commit/815a0eaabb70668648cf7e4ec911f325d95eef0b This should have been fixed in RHEL7.6 due to previous updates done in sos 3.6 we rebased to in 7.6. Hence closing the BZ as fixed in current release: package: sos-3.6-11 7.6.0 errata: https://access.redhat.com/errata/RHEA-2018:3144 7.6.0-day errata: https://access.redhat.com/errata/RHBA-2018:3338 (either one contains the fix) |
Created attachment 1450677 [details] diff -u Description of problem: Improvements and one correction: - Correct Apache keytab path to klist command to /var/lib/ipa/gssproxy - Include IPA CLI log - Include Dogtag system certificate verification log - Include Apache NSS database under /etc/httpd/alias - Add exclusions for the Apache NSS database key database and PIN/password files - Include RA agent and KDC certificates (>= IPA v4.5) - Include IPA sysrestore state file - Run command 'pki-server cert-find --show-all' to obtain copies of Dogtag CA system certificates - Run command 'pki-server subsystem-cert-validate ca' to obtain validation status for Dogtag CA system certificates