Bug 830256 – Audit log - clear text password in user changes

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 830256 - Audit log - clear text password in user changes

Summary:	Audit log - clear text password in user changes

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Rich Megginson
QA Contact:	IDM QE LIST
Docs Contact:

URL:
Whiteboard:
Keywords:	Security, SecurityTracking, ZStream

Depends On:
Blocks:	830319 830889 CVE-2012-2746
	Show dependency tree / graph

Reported:	2012-06-08 12:27 EDT by Noriko Hosoi
Modified:	2013-02-21 03:17 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	389-ds-base-1.2.11.12-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Enabling audit logging and performing a password change operation using the clear text password. Consequence: The clear text password is logged in the audit log in the unhashed#user#password attribute. Fix: Added a nsslapd-audit-logging-hide-unhashed-pw configuration attribute. If this attribute is "on", the clear text password is logged, otherwise, it is not. The default is "off" - do not log the password. Result: By default, no clear text password is logged. User can choose to log it and take appropriate security measures.
Story Points:	---
Clone Of:
Clones:	830319 (view as bug list)
Environment:
Last Closed:	2013-02-21 03:17:18 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0503	normal	SHIPPED_LIVE	Moderate: 389-ds-base security, bug fix, and enhancement update	2013-02-21 03:18:44 EST

Groups: None (edit)

Description Noriko Hosoi 2012-06-08 12:27:01 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/365

I have an 389 DS (version 1.2.10.4)  with AD replication and I enabled 
the audit log, but when I change a user password, shows the unhashed 
password in the audit log file:

> time: 20120404113336
> dn: uid=alberto.viana,OU=G,OU=RJ,dc=my,dc=domain
> changetype: modify
> replace: userPassword
> userPassword: {SSHA}bqBSVbLJpqKCujEC2JC4ysaUUJuTsFe87AoPsQ==
> -
> replace: modifiersname
> modifiersname: 
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>  t
> -
> replace: modifytimestamp
> modifytimestamp: 20120404143336Z
> -
> replace: unhashed#user#password
> unhashed#user#password: maisumteste
> -
>
I Already know that is the expected behavior. Is there any way to disable it?

Because I need the audit log but i dont want to show up user´s password in the log file.

Comment 5 Amita Sharma 2012-06-12 09:08:09 EDT

[root@dhcp201-194 6.0]# rpm -qa | grep 389
389-ds-base-1.2.10.2-17.el6_3.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.14-1.el6.x86_64
389-ds-base-debuginfo-1.2.10.2-17.el6_3.x86_64
389-admin-1.1.25-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-admin-debuginfo-1.1.25-1.el6.x86_64
389-ds-base-libs-1.2.10.2-17.el6_3.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-adminutil-devel-1.1.14-1.el6.x86_64
389-ds-base-devel-1.2.10.2-17.el6_3.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-adminutil-debuginfo-1.1.14-1.el6.x86_64

quickinstall startup 	100% (2/2) 	  	 
Basic run 	100% (49/49) 	  	 
QuickUninstall cleanup 	100% (1/1)

Comment 6 Vincent Danen 2012-06-19 11:08:01 EDT

This issue has been given the name CVE-2012-2746 and is being handled as a security flaw (see bug #833482).

Comment 7 Jenny Galipeau 2012-11-19 12:53:38 EST

This bug was verified with the RHEL 6.3 branch, but not yet with the RHEL 6.4 branch, setting it back to ON_QA

Comment 8 Sankar Ramalingam 2012-11-19 21:00:53 EST

RHEL64 official acceptance tests for basic tests is 100% PASS. Hence marking the bug as Verified.

############## Result  for  backend test :   Basic run
    Basic run elapse time : 00:04:06
    Basic run Tests PASS      : 100% (55/55)
-----------------------------------------------
add an user uid=u365
adding new entry uid=u365,o=airius.com

adding an entry u365: OK
modifying entry uid=u365,o=airius.com

replacing userpassword of an entry u365: OK
check audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit
grep u365 /var/log/dirsrv/slapd-dell-pe2800-01/audit
dn: uid=u365,o=airius.com
uid: u365
dn: uid=u365,o=airius.com
dn: uid=u365,o=airius.com
Found u365 in /var/log/dirsrv/slapd-dell-pe2800-01/audit
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include unhashed#user#password
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include clear password: newtuser0
disabling audig log
modifying entry cn=config

disabling audig log: OK
TestCase [trac365] result-> [PASS]

Comment 10 errata-xmlrpc 2013-02-21 03:17:18 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html

Note You need to log in before you can comment on or make changes to this bug.