StarlingX

collect is not masking the passwords in gzipped logs

Bug #1981101 reported by Al Bailey
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Al Bailey

Bug Description

Brief Description
-----------------
The fix for https://bugs.launchpad.net/starlingx/+bug/1980158 exposed that the zgrep syntax on Debian is different than on CentOS.

Scanning the code shows that the collect_mask_password script will also have the same issue.

https://github.com/starlingx/utilities/blob/master/tools/collector/debian-scripts/collect_mask_passwords#L126

zgrep -q 'snmp|password' $f || continue

The syntax needs to be

zgrep -q -E 'snmp|password' $f || continue

Severity
--------
Minor

Steps to Reproduce
------------------
To reproduce this in a real env, would require a bash.log containing a password entry to be log-rotated
The easier steps are:
 echo "password" > /tmp/foo.txt
 gzip /tmp/foo.txt
 zgrep -q 'snmp|password' /tmp/foo.txt.gz
 echo $?

Expected Behavior
------------------
Should output 0 (to indicate the word password was found)

Actual Behavior
----------------
Outputs 1

Reproducibility
---------------
100%

System Configuration
--------------------
Debian

Branch/Pull Time/Commit
-----------------------
July 8, 2022

Last Pass
---------
N/A

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Evaluation of a similar issue

Workaround
----------
see the description for the 'fix'

Al Bailey (albailey1974)
summary: - Debian: collect is not masking the passwords
+ Debian: collect is not masking the passwords in gzipped logs
Revision history for this message
Al Bailey (albailey1974) wrote : Re: Debian: collect is not masking the passwords in gzipped logs

It turns out that Centos would also have this issue.
This syntax for zgrep is also invalid on CentOS
https://github.com/starlingx/utilities/blob/master/tools/collector/scripts/collect_mask_passwords#L126

I will update the title of the bug

summary: - Debian: collect is not masking the passwords in gzipped logs
+ collect is not masking the passwords in gzipped logs
Al Bailey (albailey1974)
Changed in starlingx:
assignee: nobody → Al Bailey (albailey1974)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to utilities (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/utilities/+/849141

Changed in starlingx:
status: New → In Progress
Revision history for this message
Al Bailey (albailey1974) wrote :

You can verify this bug by running:

openstack --password foo

(the command will fail but it will add that line to the bash.log)

then trigger the bash log to be log rotated, and run collect.

Revision history for this message
Al Bailey (albailey1974) wrote :

This will generate bash.log.1.gz

sudo logrotate --force /etc/logrotate.d/syslog-ng

Revision history for this message
Al Bailey (albailey1974) wrote :

On CentOS to trigger the logrotate:
sudo logrotate --force /etc/logrotate.d/syslog

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to utilities (master)

Reviewed: https://review.opendev.org/c/starlingx/utilities/+/849141
Committed: https://opendev.org/starlingx/utilities/commit/1763064edcb25a37f7c51085bdd176b75d456f50
Submitter: "Zuul (22348)"
Branch: master

commit 1763064edcb25a37f7c51085bdd176b75d456f50
Author: Al Bailey <email address hidden>
Date: Fri Jul 8 18:36:57 2022 +0000

    Fix password masking by collect for gzipped files

    The zgrep syntax for a regex search was incorrect.
    The -E argument is required.

    This meant that if a gzipped file (ie: bash.log.gz)
    was included in a collect, then its passwords would
    not be redacted.

    Closes-Bug: 1981101

    Test Plan:
     Verify that a gzipped bash log has its password
     redacted when running collect on CentOS and Debian.

    Signed-off-by: Al Bailey <email address hidden>
    Change-Id: I497813949b65137a93a91bf58ede2c591fb15f62

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.7.0 stx.security stx.tools
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.