RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 830256 - Audit log - clear text password in user changes
Summary: Audit log - clear text password in user changes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 830319 830889 CVE-2012-2746
TreeView+ depends on / blocked
 
Reported: 2012-06-08 16:27 UTC by Noriko Hosoi
Modified: 2020-09-13 20:10 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.2.11.12-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Enabling audit logging and performing a password change operation using the clear text password. Consequence: The clear text password is logged in the audit log in the unhashed#user#password attribute. Fix: Added a nsslapd-audit-logging-hide-unhashed-pw configuration attribute. If this attribute is "on", the clear text password is logged, otherwise, it is not. The default is "off" - do not log the password. Result: By default, no clear text password is logged. User can choose to log it and take appropriate security measures.
Clone Of:
: 830319 (view as bug list)
Environment:
Last Closed: 2013-02-21 08:17:18 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 365 0 None closed Audit log - clear text password in user changes 2020-11-19 13:09:03 UTC
Red Hat Product Errata RHSA-2013:0503 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2013-02-21 08:18:44 UTC

Description Noriko Hosoi 2012-06-08 16:27:01 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/365

I have an 389 DS (version 1.2.10.4)  with AD replication and I enabled 
the audit log, but when I change a user password, shows the unhashed 
password in the audit log file:

> time: 20120404113336
> dn: uid=alberto.viana,OU=G,OU=RJ,dc=my,dc=domain
> changetype: modify
> replace: userPassword
> userPassword: {SSHA}bqBSVbLJpqKCujEC2JC4ysaUUJuTsFe87AoPsQ==
> -
> replace: modifiersname
> modifiersname: 
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>  t
> -
> replace: modifytimestamp
> modifytimestamp: 20120404143336Z
> -
> replace: unhashed#user#password
> unhashed#user#password: maisumteste
> -
>
I Already know that is the expected behavior. Is there any way to disable it?

Because I need the audit log but i dont want to show up user´s password in the log file.

Comment 5 Amita Sharma 2012-06-12 13:08:09 UTC
[root@dhcp201-194 6.0]# rpm -qa | grep 389
389-ds-base-1.2.10.2-17.el6_3.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.14-1.el6.x86_64
389-ds-base-debuginfo-1.2.10.2-17.el6_3.x86_64
389-admin-1.1.25-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-admin-debuginfo-1.1.25-1.el6.x86_64
389-ds-base-libs-1.2.10.2-17.el6_3.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-adminutil-devel-1.1.14-1.el6.x86_64
389-ds-base-devel-1.2.10.2-17.el6_3.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-adminutil-debuginfo-1.1.14-1.el6.x86_64

quickinstall startup 	100% (2/2) 	  	 
Basic run 	100% (49/49) 	  	 
QuickUninstall cleanup 	100% (1/1)

Comment 6 Vincent Danen 2012-06-19 15:08:01 UTC
This issue has been given the name CVE-2012-2746 and is being handled as a security flaw (see bug #833482).

Comment 7 Jenny Severance 2012-11-19 17:53:38 UTC
This bug was verified with the RHEL 6.3 branch, but not yet with the RHEL 6.4 branch, setting it back to ON_QA

Comment 8 Sankar Ramalingam 2012-11-20 02:00:53 UTC
RHEL64 official acceptance tests for basic tests is 100% PASS. Hence marking the bug as Verified.

############## Result  for  backend test :   Basic run
    Basic run elapse time : 00:04:06
    Basic run Tests PASS      : 100% (55/55)
-----------------------------------------------
add an user uid=u365
adding new entry uid=u365,o=airius.com

adding an entry u365: OK
modifying entry uid=u365,o=airius.com

replacing userpassword of an entry u365: OK
check audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit
grep u365 /var/log/dirsrv/slapd-dell-pe2800-01/audit
dn: uid=u365,o=airius.com
uid: u365
dn: uid=u365,o=airius.com
dn: uid=u365,o=airius.com
Found u365 in /var/log/dirsrv/slapd-dell-pe2800-01/audit
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include unhashed#user#password
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include clear password: newtuser0
disabling audig log
modifying entry cn=config

disabling audig log: OK
TestCase [trac365] result-> [PASS]

Comment 10 errata-xmlrpc 2013-02-21 08:17:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html


Note You need to log in before you can comment on or make changes to this bug.