Bug 830256 - Audit log - clear text password in user changes
Audit log - clear text password in user changes
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
6.4
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Rich Megginson
IDM QE LIST
: Security, SecurityTracking, ZStream
Depends On:
Blocks: 830319 830889 CVE-2012-2746
  Show dependency treegraph
 
Reported: 2012-06-08 12:27 EDT by Noriko Hosoi
Modified: 2013-02-21 03:17 EST (History)
6 users (show)

See Also:
Fixed In Version: 389-ds-base-1.2.11.12-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Enabling audit logging and performing a password change operation using the clear text password. Consequence: The clear text password is logged in the audit log in the unhashed#user#password attribute. Fix: Added a nsslapd-audit-logging-hide-unhashed-pw configuration attribute. If this attribute is "on", the clear text password is logged, otherwise, it is not. The default is "off" - do not log the password. Result: By default, no clear text password is logged. User can choose to log it and take appropriate security measures.
Story Points: ---
Clone Of:
: 830319 (view as bug list)
Environment:
Last Closed: 2013-02-21 03:17:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Noriko Hosoi 2012-06-08 12:27:01 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/365

I have an 389 DS (version 1.2.10.4)  with AD replication and I enabled 
the audit log, but when I change a user password, shows the unhashed 
password in the audit log file:

> time: 20120404113336
> dn: uid=alberto.viana,OU=G,OU=RJ,dc=my,dc=domain
> changetype: modify
> replace: userPassword
> userPassword: {SSHA}bqBSVbLJpqKCujEC2JC4ysaUUJuTsFe87AoPsQ==
> -
> replace: modifiersname
> modifiersname: 
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
>  t
> -
> replace: modifytimestamp
> modifytimestamp: 20120404143336Z
> -
> replace: unhashed#user#password
> unhashed#user#password: maisumteste
> -
>
I Already know that is the expected behavior. Is there any way to disable it?

Because I need the audit log but i dont want to show up user´s password in the log file.
Comment 5 Amita Sharma 2012-06-12 09:08:09 EDT
[root@dhcp201-194 6.0]# rpm -qa | grep 389
389-ds-base-1.2.10.2-17.el6_3.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.14-1.el6.x86_64
389-ds-base-debuginfo-1.2.10.2-17.el6_3.x86_64
389-admin-1.1.25-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-admin-debuginfo-1.1.25-1.el6.x86_64
389-ds-base-libs-1.2.10.2-17.el6_3.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-adminutil-devel-1.1.14-1.el6.x86_64
389-ds-base-devel-1.2.10.2-17.el6_3.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-adminutil-debuginfo-1.1.14-1.el6.x86_64

quickinstall startup 	100% (2/2) 	  	 
Basic run 	100% (49/49) 	  	 
QuickUninstall cleanup 	100% (1/1)
Comment 6 Vincent Danen 2012-06-19 11:08:01 EDT
This issue has been given the name CVE-2012-2746 and is being handled as a security flaw (see bug #833482).
Comment 7 Jenny Galipeau 2012-11-19 12:53:38 EST
This bug was verified with the RHEL 6.3 branch, but not yet with the RHEL 6.4 branch, setting it back to ON_QA
Comment 8 Sankar Ramalingam 2012-11-19 21:00:53 EST
RHEL64 official acceptance tests for basic tests is 100% PASS. Hence marking the bug as Verified.

############## Result  for  backend test :   Basic run
    Basic run elapse time : 00:04:06
    Basic run Tests PASS      : 100% (55/55)
-----------------------------------------------
add an user uid=u365
adding new entry uid=u365,o=airius.com

adding an entry u365: OK
modifying entry uid=u365,o=airius.com

replacing userpassword of an entry u365: OK
check audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit
grep u365 /var/log/dirsrv/slapd-dell-pe2800-01/audit
dn: uid=u365,o=airius.com
uid: u365
dn: uid=u365,o=airius.com
dn: uid=u365,o=airius.com
Found u365 in /var/log/dirsrv/slapd-dell-pe2800-01/audit
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include unhashed#user#password
audit log /var/log/dirsrv/slapd-dell-pe2800-01/audit does not include clear password: newtuser0
disabling audig log
modifying entry cn=config

disabling audig log: OK
TestCase [trac365] result-> [PASS]
Comment 10 errata-xmlrpc 2013-02-21 03:17:18 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html

Note You need to log in before you can comment on or make changes to this bug.