Bug 2063342 - User and Service account token is visible in audit logs under profile `WriteRequestBodies [NEEDINFO]
Summary: User and Service account token is visible in audit logs under profile `WriteR...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Sergiusz Urbaniak
QA Contact: Xingxing Xia
URL:
Whiteboard: EmergencyRequest
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-11 20:02 UTC by aharchin
Modified: 2023-01-16 15:08 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-16 14:43:05 UTC
Target Upstream Version:
Embargoed:
mfojtik: needinfo?


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 558 0 None open Bug 2063342: vendor: bump library-go 2022-03-15 08:53:45 UTC
Github openshift cluster-kube-apiserver-operator pull 1330 0 None open Bug 2063342: vendor: bump library-go 2022-03-15 08:55:48 UTC
Github openshift library-go pull 1327 0 None open WIP: Bugzilla 2063342: audit/manifests: exclude tokenreviews from audit logs 2022-03-14 10:19:38 UTC
Red Hat Issue Tracker OCPBUGS-2765 0 None None None 2023-01-10 14:02:24 UTC
Red Hat Knowledge Base (Solution) 6983753 0 None None None 2022-11-23 08:50:28 UTC

Description aharchin 2022-03-11 20:02:26 UTC
Description of problem:

User and Service account token is visible in audit logs under profile `WriteRequestBodies


How reproducible: every time

Steps to Reproduce:
1. Enable audit policy profile `WriteRequestBodies` as mentioned in Doc [0]

 [0] https://docs.openshift.com/container-platform/4.8/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config

2. Check the audit logs


Actual results:  User and Service account token is visible in an audit log file


Expected results: User and Service account tokens should not be visible in an audit log file

Comment 2 Michal Fojtik 2022-03-11 20:08:03 UTC
** A NOTE ABOUT USING URGENT **

This BZ has been set to urgent severity and priority. When a BZ is marked urgent priority Engineers are asked to stop whatever they are doing, putting everything else on hold.
Please be prepared to have reasonable justification ready to discuss, and ensure your own and engineering management are aware and agree this BZ is urgent. Keep in mind, urgent bugs are very expensive and have maximal management visibility.

NOTE: This bug was automatically assigned to an engineering manager with the severity reset to *unspecified* until the emergency is vetted and confirmed. Please do not manually override the severity.

** INFORMATION REQUIRED **

Please answer these questions before escalation to engineering:

1. Has a link to must-gather output been provided in this BZ? We cannot work without. If must-gather fails to run, attach all relevant logs and provide the error message of must-gather.
2. Give the output of "oc get clusteroperators -o yaml".
3. In case of degraded/unavailable operators, have all their logs and the logs of the operands been analyzed [yes/no]
4. List the top 5 relevant errors from the logs of the operators and operands in (3).
5. Order the list of degraded/unavailable operators according to which is likely the cause of the failure of the other, root-cause at the top.
6. Explain why (5) is likely the right order and list the information used for that assessment.
7. Explain why Engineering is necessary to make progress.

Comment 5 Michal Fojtik 2022-03-11 20:38:03 UTC
** A NOTE ABOUT USING URGENT **

This BZ has been set to urgent severity and priority. When a BZ is marked urgent priority Engineers are asked to stop whatever they are doing, putting everything else on hold.
Please be prepared to have reasonable justification ready to discuss, and ensure your own and engineering management are aware and agree this BZ is urgent. Keep in mind, urgent bugs are very expensive and have maximal management visibility.

NOTE: This bug was automatically assigned to an engineering manager with the severity reset to *unspecified* until the emergency is vetted and confirmed. Please do not manually override the severity.

** INFORMATION REQUIRED **

Please answer these questions before escalation to engineering:

1. Has a link to must-gather output been provided in this BZ? We cannot work without. If must-gather fails to run, attach all relevant logs and provide the error message of must-gather.
2. Give the output of "oc get clusteroperators -o yaml".
3. In case of degraded/unavailable operators, have all their logs and the logs of the operands been analyzed [yes/no]
4. List the top 5 relevant errors from the logs of the operators and operands in (3).
5. Order the list of degraded/unavailable operators according to which is likely the cause of the failure of the other, root-cause at the top.
6. Explain why (5) is likely the right order and list the information used for that assessment.
7. Explain why Engineering is necessary to make progress.

Comment 12 Xingxing Xia 2022-04-13 16:11:57 UTC
Sorry as synced in Slack didn't afford time on this due to other work. Today tested in 4.11.0-0.nightly-2022-04-13-072124, now tokenreviews of k8s group are indeed audited as "level":"Metadata", so kube-apiserver/audit*.log don't expose tokens now. But note, it has 2 groups:
$ oc api-resources | grep token
...
tokenreviews                                              authentication.k8s.io/v1                      false        TokenReview
...
tokenreviews                                              oauth.openshift.io/v1                         false        TokenReview
...

The PR only excludes the k8s group authentication.k8s.io/v1. The tokenreviews of group oauth.openshift.io/v1 still expose tokens in oauth-apiserver/audit*.log, like:
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"e44f31f1-a134-4c28-926a-1455ce903039","stage":"ResponseComplete","requestURI":"/apis/oauth.openshift.io/v1/tokenreviews?timeout=30s","verb":"create","user":{"username":"system:serviceaccount:openshift-oauth-apiserver:openshift-authenticator","groups":["system:authenticated"]},"sourceIPs":["10.128.0.1"],"userAgent":"Go-http-client/2.0","objectRef":{"resource":"tokenreviews","apiGroup":"oauth.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"TokenReview","apiVersion":"authentication.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"token":"sha256~3QXUWU29_yTsssQDUHIwhX4h9sK2QUqThlIJgdn-cXE","audiences":["https://kubernetes.default.svc"]},"status":{"user":{}}},"responseObject":{"kind":"TokenReview","apiVersion":"authentication.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"token":"sha256~3QXUWU29_yTsssQDUHIwhX4h9sK2QUqThlIJgdn-cXE","audiences":["https://kubernetes.default.svc"]},"status":{"authenticated":true,"user":{"username":"testuser-30","uid":"069b4328-3e0c-43e9-a8f8-27984c71b013","groups":["system:authenticated:oauth"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"audiences":["https://kubernetes.default.svc"]}},"requestReceivedTimestamp":"2022-04-13T15:08:02.748219Z","stageTimestamp":"2022-04-13T15:08:02.784684Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"requesting tokenreviews is allowed"}}

As for tokenrequests, I followed https://docs.openshift.com/container-platform/4.10/authentication/bound-service-account-tokens.html to hopefully trigger tokenrequests and then grep tokenrequests in /var/log/, but grep gets nothing at all, even if Metadata level isn't gotten, not sure why? Seems tokenrequests are not audited at all in any level? Should I create a bug for it?

Comment 14 Xingxing Xia 2022-06-17 09:45:05 UTC
Revisiting my comment 12:
> As for tokenrequests, I followed https://docs.openshift.com/container-platform/4.10/authentication/bound-service-account-tokens.html to hopefully trigger tokenrequests and then grep tokenrequests in /var/log/, but grep gets nothing at all
I thought tokenrequests are in "requestURI" field of audit logs so I did not find, forgot checking https://docs.openshift.com/container-platform/4.10/rest_api/authorization_apis/tokenrequest-authentication-k8s-io-v1.html#tokenrequest-authentication-k8s-io-v1 , which shows requestURI for tokenrequests looks like /api/v1/namespaces/{namespace}/serviceaccounts/{name}/token instead.
So today retested tokenrequests in 4.11.0-0.nightly-2022-06-15-222801 env:

oc edit apiserver cluster
...
spec:
  audit:
    profile: WriteRequestBodies

oc get po -n openshift-kube-apiserver -L revision -l apiserver -w
Wait about 15 mins for kube-apiserver pods to roll out.

Then:
oc new-project test-proj
MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`

NOW=$(date -u "+%s")
echo "$NOW"
echo "$NOW" > now

Create any pod under test-proj (Pod automatically uses bound serviceaccount token, which posts TokenRequests)
oc new-app httpd --name httpd-2 -n test-proj

Check the audit logs in /var/log/kube-apiserver:
DIRECTORY=kube-apiserver
PATTERN='/token'
oc config use-context admin
for i in $MASTERS
do
  oc debug no/$i -- chroot /host bash -c "grep -ihE '$PATTERN' /var/log/$DIRECTORY/audit*.log || true"
done | jq -c 'select (.requestReceivedTimestamp | .[0:19] + "Z" | fromdateiso8601 > '"`cat now`)" > audit_tokenrequest.log

TokenRequests audit logs leak tokens:
vi audit_tokenrequest.log
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"f1e2d851-41e5-4f81-a715-02da803533ba","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/test-proj/serviceaccounts/default/token","verb":"create","user":{"username":"system:node:xxia-617c-tgr6k-worker-northcentralus-62hvx","groups":["system:nodes","system:authenticated"]},"sourceIPs":["10.0.128.4"],"userAgent":"kubelet/v1.24.0+cb71478 (linux/amd64) kubernetes/0a57f1f","objectRef":{"resource":"serviceaccounts","namespace":"test-proj","name":"default","apiVersion":"v1","subresource":"token"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"TokenRequest","apiVersion":"authentication.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"audiences":null,"expirationSeconds":3607,"boundObjectRef":{"kind":"Pod","apiVersion":"v1","name":"httpd-2-56dd889b6-2pjp9","uid":"644527ca-aebc-45d9-ab2f-f2b25019c9d7"}},"status":{"token":"","expirationTimestamp":null}},"responseObject":{"kind":"TokenRequest","apiVersion":"authentication.k8s.io/v1","metadata":{"name":"default","namespace":"test-proj","creationTimestamp":"2022-06-17T09:11:11Z"},"spec":{"audiences":["https://kubernetes.default.svc"],"expirationSeconds":3607,"boundObjectRef":{"kind":"Pod","apiVersion":"v1","name":"httpd-2-56dd889b6-2pjp9","uid":"644527ca-aebc-45d9-ab2f-f2b25019c9d7"}},"status":{"token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImNVUnY1VFJaR0RtQU9NYm9yd1ptNXB2OHZ3TXpJOG51TTFrOS01LTJjV28ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY4Njk5MzA3MSwiaWF0IjoxNjU1NDU3MDcxLCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6InRlc3QtcHJvaiIsInBvZCI6eyJuYW1lIjoiaHR0cGQtMi01NmRkODg5YjYtMnBqcDkiLCJ1aWQiOiI2NDQ1MjdjYS1hZWJjLTQ1ZDktYWIyZi1mMmIyNTAxOWM5ZDcifSwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRlZmF1bHQiLCJ1aWQiOiJiOWM3NDhjYS0zNDZkLTQ3MWItYWNhMC05ZmVmOTE4YzUxODgifSwid2FybmFmdGVyIjoxNjU1NDYwNjc4fSwibmJmIjoxNjU1NDU3MDcxLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dGVzdC1wcm9qOmRlZmF1bHQifQ.38eFGcw01yNlmgfmNePtwyk68tYDVIX-rnERQPSa1_qEGbQI22ruj-X2XikRXIDwOTABveZsE_X4PQBXucLt_Q3yObwJNRQGnZYBaUBMPRMI_oBuJlTosfMI2Y3YOpDEDQ2nOq9xhxGC4_XI8oUWwaU9IVCLXAwyinncJvVtXgGdxeUF9uBhv9t3-_csRId1hObXbkRoycFx1z4w14ITZ8YOGG6dDN3BBa_uJbj1C1lrAmKlMNudXlicSYThK4sQI9sKZCzYKQYeuenzmVnH60o4aJaiMP8cRkiT98mILKn-07purorrcJ7p6wc2Gu_U6nIKD9e-oTOujoNPy9W_Gp-oPcZ9j1pbn0laTAEkJ1DguntsukImBw1PVYAiLqHzgmWrfdPADlxWQ8hXEOFd2tdgq6t6kukOg2cLlcj0JpQobceIKju606ZHPy0JsSL4kf4kAY55pZNDEhnCQwENjBA77hyUbAd96AITW3Ae5UVSnlpL4-huVDKQ89OABgs6k1T_U8H8vb6BkdJJauHb7x_VQ3OopLvZkakSc8YpS2p59qQspDngz3V-KzGFvHKniE5iRe6Tjm2J5sR7pX6NvP3qBRdiX-WCb8VStzfNT1VBQPaNBywRClnVtphRmrniv8Gp_ivt87Fq8Ihy9Ue2tXifJ0QrQsFkyuMrxqHFYF0","expirationTimestamp":"2022-06-17T10:11:18Z"}},"requestReceivedTimestamp":"2022-06-17T09:11:11.415527Z","stageTimestamp":"2022-06-17T09:11:11.437439Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

In conclusion, in addition to needing further fix for tokenreviews of group oauth.openshift.io/v1 as said in comment 12, for tokenrequests the fix PR should exclude subresource "token" instead of "tokenrequests" like previous https://github.com/openshift/library-go/pull/1327/files did: `resources: [..., "tokenrequests"] : )

Comment 15 Xingxing Xia 2022-06-17 10:11:35 UTC
BTW answering Akhil Harchinder:
> I'm wondering how we could identify suspicious/malicious activity related to the leaked tokens. Using system:serviceaccount:openshift-monitoring:prometheus-k8s as an example
Hi, I'm from QE. Checking audit logs for the users of the leaked tokens is the way AFAIK, like:
MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
PATTERN='"user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s"'
for i in $MASTERS
do
  oc debug no/$i -- chroot /host bash -c "grep -hE '$PATTERN' /var/log/*server/audit*.log || true"
done > audit_user_activities.log

Sort the activities as per timestamp:
jq -cs 'sort_by(.requestReceivedTimestamp)' audit_user_activities.log | jq -c '.[]' > audit_user_activities_sorted.log

Then check audit_user_activities_sorted.log to analyze the activies or do further filtering as your want, e.g. filter "sourceIPs", "userAgent" fields:
...,"sourceIPs":["66.187.232.129"],"userAgent":"oc/4.11.0 (linux/amd64) kubernetes/63bee3e",... <-- this should be some human activities
...,"sourceIPs":["10.0.128.6"],"userAgent":"Prometheus/2.36.1",...                              <-- this should be internal activities

This maybe can do some help?

Comment 19 Michal Fojtik 2023-01-16 14:43:05 UTC
Dear reporter, we greatly appreciate the bug you have reported here. Unfortunately, due to migration to a new issue-tracking system (https://issues.redhat.com/), we cannot continue triaging bugs reported in Bugzilla. Since this bug has been stale for multiple days, we, therefore, decided to close this bug.
If you think this is a mistake or this bug has a higher priority or severity as set today, please feel free to reopen this bug and tell us why. We are going to move every re-opened bug to https://issues.redhat.com. 

Thank you for your patience and understanding.

Comment 20 David Hernández Fernández 2023-01-16 15:08:22 UTC
Tracked here instead: https://issues.redhat.com/browse/OCPBUGS-2765


Note You need to log in before you can comment on or make changes to this bug.