Bug 1785117 - [RFE] Add functionality in foreman logging to hash-out or mark as [FILTERED] the password in /var/log/foreman-maintain/foreman-maintain.log and /var/log/foreman-installer/satellite.log file
Summary: [RFE] Add functionality in foreman logging to hash-out or mark as [FILTERED] ...
Keywords:
Status: ON_QA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer
Version: 6.6.0
Hardware: x86_64
OS: Linux
unspecified
medium vote
Target Milestone: 6.8.0
Assignee: Lukas Zapletal
QA Contact: Devendra Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-19 08:05 UTC by Kaushik Sajjan Agarwal
Modified: 2020-05-20 13:57 UTC (History)
5 users (show)

Fixed In Version: foreman-2.0.0-0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 28553 Normal Closed Foreman debug gathers --password 'xyz' 2020-05-20 10:34:07 UTC

Description Kaushik Sajjan Agarwal 2019-12-19 08:05:39 UTC
Description of problem:
    -  Satellite log files (/var/log/foreman-maintain/foreman-maintain.log and /var/log/foreman-installer/satellite.log) captures password in plain text:

      /var/log/foreman-maintain/foreman-maintain.log
      [33m/usr/share/candlepin/cpdb --update --database '//localhost/candlepin' --user 'candlepin' --password 'XXXXXXXXXXXXXXXXXXX' finished successfully!

      /var/log/foreman-installer/satellite.log
      Example entries:
      [DEBUG 2019-12-15T11:xx:54 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass XXXXXXXXXXXXXXXXXX -alias amqp-client'
      [DEBUG 2019-12-15T11:29:54 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]: 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXX -srcstorepass YYYYYYYYYYYYYYYYY -noprompt && rm /tmp/keystore.p12' won't be executed because of failed check 'unless'
      [DEBUG 2019-12-15T11:29:15 main]    proxy_password = XXXXXXXXXXXXX


Version-Release number of selected component (if applicable): NA


Steps to Reproduce RFE:
1. Checked entries in /var/log/foreman-maintain/foreman-maintain.log and /var/log/foreman-installer/satellite.log

Actual results:

 /var/log/foreman-maintain/foreman-maintain.log
      [33m/usr/share/candlepin/cpdb --update --database '//localhost/candlepin' --user 'candlepin' --password 'XXXXXXXXXXXXXXXXXXX' finished successfully!

      /var/log/foreman-installer/satellite.log
      Example entries:
      [DEBUG 2019-12-15T11:xx:54 main]  Executing: 'keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.jks -storepass XXXXXXXXXXXXXXXXXX -alias amqp-client'
      [DEBUG 2019-12-15T11:29:54 main]  /Stage[main]/Certs::Candlepin/Exec[import client certificate into Candlepin keystore]: 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXX -srcstorepass YYYYYYYYYYYYYYYYY -noprompt && rm /tmp/keystore.p12' won't be executed because of failed check 'unless'
      [DEBUG 2019-12-15T11:29:15 main]    proxy_password = XXXXXXXXXXXXX


Expected results:

Passwords in the log file should not be stored in plain text as it becomes a major security threat.

Comment 4 Bryan Kearney 2019-12-20 11:05:28 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28553 has been resolved.

Comment 5 Pavel Moravec 2019-12-20 22:15:42 UTC
sosreport needs a fix like:

diff --git a/sos/plugins/foreman.py b/sos/plugins/foreman.py
index c1546eae..41f7986a 100644
--- a/sos/plugins/foreman.py
+++ b/sos/plugins/foreman.py
@@ -241,8 +241,8 @@ class Foreman(Plugin):
         return _dbcmd % (self.dbhost, csvformat, quote(query))
 
     def postproc(self):
-        satreg = r"((foreman.*)?(\"::(foreman(.*?)|katello).*)?(::(.*)::.*" \
-              r"(passw|cred|token|secret|key).*(\")?:))(.*)"
+        satreg = r"((foreman.*)?(\"::(foreman(.*?)|katello).*)?((::(.*)::.*" \
+              r"(passw|cred|token|secret|key).*(\")?:)|(storepass )))(.*)"
         self.do_path_regex_sub(
             "/var/log/foreman-installer/sat*",
             satreg,
@@ -265,7 +265,7 @@ class Foreman(Plugin):
             r"\1********")
         self.do_path_regex_sub(
             "/var/log/foreman-maintain/foreman-maintain.log*",
-            r"((passw|cred|token|secret)=)(.*)",
+            r"(((passw|cred|token|secret)=)|(password ))(.*)",
             r"\1********")
         self.do_path_regex_sub(
             "/var/log/%s*/foreman-ssl_access_ssl.log*" % self.apachepkg,


Will clone BZ to sos and raise upstream PR for it.

Comment 7 Lukas Zapletal 2020-01-07 14:50:50 UTC
If the concern is the installer, then I am changing to it. I think there is some filtering mechanism in KAFO.

Comment 9 Bryan Kearney 2020-01-07 15:07:56 UTC
Upstream bug assigned to lzap@redhat.com

Comment 10 Bryan Kearney 2020-01-07 15:08:02 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28553 has been resolved.


Note You need to log in before you can comment on or make changes to this bug.