collect is not masking the passwords in gzipped logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Al Bailey |
Bug Description
Brief Description
-----------------
The fix for https:/
Scanning the code shows that the collect_
zgrep -q 'snmp|password' $f || continue
The syntax needs to be
zgrep -q -E 'snmp|password' $f || continue
Severity
--------
Minor
Steps to Reproduce
------------------
To reproduce this in a real env, would require a bash.log containing a password entry to be log-rotated
The easier steps are:
echo "password" > /tmp/foo.txt
gzip /tmp/foo.txt
zgrep -q 'snmp|password' /tmp/foo.txt.gz
echo $?
Expected Behavior
------------------
Should output 0 (to indicate the word password was found)
Actual Behavior
----------------
Outputs 1
Reproducibility
---------------
100%
System Configuration
-------
Debian
Branch/Pull Time/Commit
-------
July 8, 2022
Last Pass
---------
N/A
Timestamp/Logs
--------------
N/A
Test Activity
-------------
Evaluation of a similar issue
Workaround
----------
see the description for the 'fix'
summary: |
- Debian: collect is not masking the passwords + Debian: collect is not masking the passwords in gzipped logs |
Changed in starlingx: | |
assignee: | nobody → Al Bailey (albailey1974) |
Changed in starlingx: | |
importance: | Undecided → Low |
tags: | added: stx.7.0 stx.security stx.tools |
It turns out that Centos would also have this issue. /github. com/starlingx/ utilities/ blob/master/ tools/collector /scripts/ collect_ mask_passwords# L126
This syntax for zgrep is also invalid on CentOS
https:/
I will update the title of the bug