In puppet-candlepin shipped with the foreman-installer rpm, when calling /usr/share/candlepin/cpdb with --password, cpdb calls liquibase.sh (which calls java) and that leaks the password in the process list.