StarlingX

Cleartext password from user.log is not masked in collected logs

Bug #1953513 reported by João Victor Portal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
João Victor Portal

Bug Description

Brief Description
-----------------
The collect tool doesn't mask public/private registry passwords in "/var/log/user.log" file.

Severity
--------
Minor

Steps to Reproduce
------------------
Deploy an AIOSX using a public/private registry with user and password. The following log will appear in "/var/log/user.log":

2021-12-07T10:57:36.000 localhost ansible-command: info Invoked with warn=True executable=None _uses_shell=True _raw_params=source /etc/platform/openrc; openstack secret store -n k8s-registry-secret -p 'username:reguser password:regpass' -c 'Secret href' -f value removes=None argv=None creates=None chdir=None stdin=None
2021-12-07T10:57:38.000 localhost ansible-command: info Invoked with warn=True executable=None _uses_shell=True _raw_params=source /etc/platform/openrc; openstack secret store -n gcr-registry-secret -p 'username:reguser password:regpass' -c 'Secret href' -f value removes=None argv=None creates=None chdir=None stdin=None

Use the command "collect all" to gather the logs.

Expected Behavior
------------------
The password "regpass" should be masked in the collected files.

Actual Behavior
----------------
The password "regpass" is not masked in the collected files.

Reproducibility
---------------
100% Reproducible.

System Configuration
--------------------
Any.

Branch/Pull Time/Commit
-----------------------
N/A.

Last Pass
---------
N/A.

Timestamp/Logs
--------------
N/A.

Test Activity
-------------
N/A.

Workaround
----------
N/A.

João Victor Portal (jvictorp)
summary: - Cleartext password from user.log are not masked in collected logs
+ Cleartext password from user.log is not masked in collected logs
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
João Victor Portal (jvictorp)
Changed in starlingx:
assignee: nobody → João Victor Portal (jvictorp)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

screening: would be nice to fix, but will not gate the upcoming stx.6.0 release.

tags: added: stx.tools
Changed in starlingx:
importance: Undecided → Low
Ghada Khalil (gkhalil)
tags: added: stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to utilities (master)

Reviewed: https://review.opendev.org/c/starlingx/utilities/+/820524
Committed: https://opendev.org/starlingx/utilities/commit/bd02d9b9d55463f86657a75f0862f18302d4cb4c
Submitter: "Zuul (22348)"
Branch: master

commit bd02d9b9d55463f86657a75f0862f18302d4cb4c
Author: Joao Victor Portal <email address hidden>
Date: Mon Dec 6 10:35:42 2021 -0300

    Mask remaining passwords in user.log

    The password of public/private registry was not being masked in
    "user.log". A regular expression was added to match
    "password:theregistrypassword'".

    Test Plan:

    PASS: Deploy an AIOSX, collect logs and verify that all passwords are
    masked.

    Closes-Bug: 1953513
    Signed-off-by: Joao Victor Portal <email address hidden>
    Change-Id: Ice0785108df79e4eabbcd1e67926597c1f94166c

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.7.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.