Cleartext passwords are present in the logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Lu Yao Chen |
Bug Description
Brief Description
-----------------
Several log files generated by the system contain cleartext passwords.
● /root/ansible.log
● /var/log/bash.log
● /var/log/
● /var/log/
● /var/log/user.log
Passwords in log files should be masked, or not logged at all. Some passwords in Ansible logs can be masked by using the no_log attribute.
Severity
--------
Medium - security concern
Steps to Reproduce
------------------
Go on a long-running StarlingX system.
Examine the contents of the logs above.
Expected Behavior
------------------
Cleartext logs should not be present in the logs
Actual Behavior
----------------
Cleartext logs are present in the logs
Reproducibility
---------------
Reproducible
System Configuration
-------
any
Branch/Pull Time/Commit
-------
stx master, but issue is present in previous releases as well
Last Pass
---------
N/A
Timestamp/Logs
--------------
N/A
Test Activity
-------------
Other - security evaluation
Workaround
----------
N/A
Changed in starlingx: | |
status: | In Progress → Fix Released |
tags: | added: stx.6.0 |
Changed in starlingx: | |
importance: | Medium → Low |
stx.5.0 / medium priority - would be nice to address in the next release