Description of problem: When you set a password for a repo in "Upstream Password" field, it appears in cleartext in the audit logs. Due to: Bug 1630535 - admin password is added to yum repo config the admin password can end up in the audit logs. Version-Release number of selected component (if applicable): ~]# rpm -q satellite satellite-6.4.0-14.el7sat.noarch How reproducible: Steps to Reproduce: 1. Products > Repositories 2. Create a custom product with a yum repository. 3. Add a password to "Upstream Password" 4. Check the audit logs Actual results: Admin (10.40.205.48) updated Katello/Repository: Test BZ1625264 Upstream password changed from [empty] to changeme Checksum type changed from sha256 to sha1 Expected results: Admin (10.40.205.48) updated Katello/Repository: Test BZ1625264 Upstream password changed from [empty] to [redacted] Checksum type changed from sha256 to sha1
Note: this will likely apply to password on any content types.
Created redmine issue https://projects.theforeman.org/issues/28112 from this bug
Current Workaround until we come up with an official fix To exclude the "Upstream Password" from capturing in Audit entries # vi /opt/theforeman/tfm/root/usr/share/gems/gems/katello-*/app/models/katello/root_repository.rb Replace this line ~~~ audited ~~~ with ~~~ audited :except => [:upstream_password] ~~~ # systemctl restart httpd
Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug
Connecting redmine issue https://projects.theforeman.org/issues/29931 from this bug
Connecting redmine issue https://projects.theforeman.org/issues/30064 from this bug
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30064 has been resolved.
This is already in the 6.8.0 snaps
*** Bug 1868697 has been marked as a duplicate of this bug. ***
Created attachment 1713255 [details] Audit log shows redacted password Hello Testing on snap 12 [root@dell-r330-12 ~]# rpm -q satellite satellite-6.8.0-1.el7sat.noarch Followed procedure as per comment 0 Navigate Monitor > Audit logs look for create KATELLO/ROOT REPOSITORY test_repo click triangle icon to expand See: Upstream password [redacted] Thank you
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.8 release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4366