I am a security researcher, who found insecure coding practices in Chef scripts.
I want to know if practitioners agree with our findings. Feedback is welcome.
I noticed insecure coding practices in the following scripts:
Hard-coded passwords:
bifrost/playbooks/roles/bifrost-ironic-install/defaults/main.yml
bifrost/playbooks/roles/bifrost-keystone-install/defaults/main.yml
openstack-ansible/playbooks/healthcheck-infrastructure.yml
monasca-vagrant/roles/monasca-devstack/defaults/main.yml
openstack-ansible-ops/ansible_tools/playbooks/swift_storage_mount_drives.yml
tripleo-quickstart/roles/repo-setup/defaults/main.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_kibana/defaults/main.yml
bifrost/playbooks/roles/bifrost-create-vm-nodes/tasks/create_vm.yml
bifrost/playbooks/roles/bifrost-openstack-ci-prep/tasks/main.yml
browbeat/ansible/install/roles/collectd-openstack/defaults/main.yml
openstack-ansible-ops/pxelinux-provisioning/playbooks/group_vars/all.yml
tripleo-quickstart/roles/libvirt/setup/overcloud/tasks/vars/libvirt_nodepool_vars.yml
******************************************************************************
Use of HTTP without TLS: HTTP is used without TLS
openstack-ansible-ops/multi-node-aio/playbooks/group_vars/all.yml
openstack-ansible-ops/multi-node-aio/playbooks/vars/openstack-service-config.yml
browbeat/ansible/install/roles/kibana-visualization/tasks/main.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_rollup/tasks/main.yml
bifrost/playbooks/roles/bifrost-keystone-install/defaults/main.yml
bifrost/playbooks/roles/bifrost-ironic-install/defaults/main.yml
openstack-ansible-ops/pxelinux-provisioning/playbooks/group_vars/all.yml
tripleo-quickstart/roles/libvirt/defaults/main.yml
bifrost/playbooks/roles/bifrost-keystone-client-config/defaults/main.yml
browbeat/ansible/install/roles/es-template/tasks/main.yml
browbeat/ansible/install/roles/collectd-openstack/tasks/main.yml
openstack-ansible/playbooks/ceph-install.yml
openstack-ansible/playbooks/defaults/healthchecks-vars.yml
ansible-role-container-registry/handlers/main.yml
ansible-role-python_venv_build/tests/test.yml
bifrost/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
bifrost/playbooks/roles/bifrost-test-inspection/defaults/main.yml
bifrost/playbooks/roles/bifrost-configdrives-dynamic/defaults/main.yml
bifrost/playbooks/roles/bifrost-unprovision-node-dynamic/defaults/main.yml
bifrost/playbooks/roles/ironic-delete-dynamic/defaults/main.yml
bifrost/playbooks/roles/bifrost-deploy-nodes-dynamic/defaults/main.yml
browbeat/ansible/install/roles/rsyslog-install/tasks/main.yml
browbeat/ansible/install/roles/fluentd/tasks/main.yml
browbeat/ansible/install/roles/logstash/tasks/main.yml
browbeat/ansible/install/roles/stockpile/tasks/main.yml
openstack-ansible/playbooks/healthcheck-infrastructure.yml
openstack-ansible/playbooks/defaults/source_install.yml
openstack-ansible/inventory/group_vars/all/octavia.yml
openstack-ansible/inventory/group_vars/all/designate.yml
openstack-ansible-ops/multi-node-aio/playbooks/deploy-acng.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_repositories/vars/redhat.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_kibana/defaults/main.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_retention/tasks/main.yml
******************************************************************************
Binding to 0.0.0.0: An IP address is used, which is invalid such as 0.0.0.0
openstack-ansible/playbooks/defaults/healthchecks-vars.yml
openstack-ansible-ops/multi-node-aio/playbooks/group_vars/all.yml
openstack-ansible-ops/pxelinux-provisioning/playbooks/group_vars/all.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_kibana/defaults/main.yml
openstack-ansible-ops/elk_metrics_6x/roles/elastic_apm_server/defaults/main.yml
******************************************************************************
I did not find a project that addresses the 'browbeat', 'openstack-ansible', 'openstack-ansible-ops', 'bifrost', 'cookbook-openstack-identity' repo, so I am filing this bug report in the 'Openstack+Chef' project. This is more of a validation report than a bug report where I am asking Openstack developers if they agree with these insecure coding practice occurrences. Feedback welcome.
From an openstack-ansible perspective the passwords are placeholder values that need to be present to allow any form of CI test to run. Production deployments should use standard variable overrides and undertake their own security audit.