From 0700b161b0de23cd0c2c7ad742602d794e6ebca8 Mon Sep 17 00:00:00 2001 From: Jan Jansky Date: Fri, 27 Sep 2024 10:44:16 +0200 Subject: [PATCH] Credentials obfuscation from multiple files Resolves: RHEL-58096 Signed-off-by: Jan Jansky --- sos-obfuscate-environment.patch | 146 ++++++++++++++++++++++++++++++++ sos.spec | 8 +- 2 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 sos-obfuscate-environment.patch diff --git a/sos-obfuscate-environment.patch b/sos-obfuscate-environment.patch new file mode 100644 index 0000000..1b7b0b3 --- /dev/null +++ b/sos-obfuscate-environment.patch @@ -0,0 +1,146 @@ +From 60356d6b1096407ed9cd71cf519ac2a381bedee4 Mon Sep 17 00:00:00 2001 +From: Pavel Moravec +Date: Fri, 27 Sep 2024 08:30:06 +0200 +Subject: [PATCH 1/1] [plugins] Obfuscate http URL credentials + +HTTP_PROXY or similar env.variables can contain credentials we must +scrub. The variables or directly credentials of a http(s) URL can be +specified in several places the commit deals with. + +Futher, update apt plugin to use the new do_paths_httpp_sub method. + +Resolves: #3789 + +Signed-off-by: Pavel Moravec +--- + sos/report/plugins/__init__.py | 15 +++++++++++++++ + sos/report/plugins/anaconda.py | 9 +++++---- + sos/report/plugins/apt.py | 12 ++---------- + sos/report/plugins/system.py | 6 ++++++ + sos/report/plugins/systemd.py | 7 +++++++ + 5 files changed, 35 insertions(+), 14 deletions(-) + +diff --git a/sos/report/plugins/__init__.py b/sos/report/plugins/__init__.py +index f88f0c0d..9b54c68a 100644 +--- a/sos/report/plugins/__init__.py ++++ b/sos/report/plugins/__init__.py +@@ -1313,6 +1313,21 @@ class Plugin(): + replacements = 0 + return replacements + ++ def do_paths_http_sub(self, pathspecs): ++ """ Obfuscate credentials in *_PROXY variables in all files in the ++ given list. Proxy setting without protocol is ignored, since that ++ is not recommended setting and obfuscating that one can hit false ++ positives. ++ ++ :param pathspecs: A filepath to obfuscate credentials in ++ :type pathspecs: ``str`` or a ``list`` of strings ++ """ ++ if isinstance(pathspecs, str): ++ pathspecs = [pathspecs] ++ for path in pathspecs: ++ self.do_path_regex_sub( ++ path, r"(http(s)?://)\S+:\S+(@.*)", r"\1******:******\3") ++ + def do_path_regex_sub(self, pathexp, regexp, subst): + """Apply a regexp substituation to a set of files archived by + sos. The set of files to be substituted is generated by matching +diff --git a/sos/report/plugins/anaconda.py b/sos/report/plugins/anaconda.py +index 78577d3f..77f54d65 100644 +--- a/sos/report/plugins/anaconda.py ++++ b/sos/report/plugins/anaconda.py +@@ -24,21 +24,21 @@ class Anaconda(Plugin, RedHatPlugin): + + def setup(self): + +- paths = [ ++ self.copypaths = [ + "/root/anaconda-ks.cfg" + ] + + if self.path_isdir('/var/log/anaconda'): + # new anaconda +- paths.append('/var/log/anaconda') ++ self.copypaths.append('/var/log/anaconda') + else: +- paths = paths + [ ++ self.copypaths = self.copypaths + [ + "/var/log/anaconda.*", + "/root/install.log", + "/root/install.log.syslog" + ] + +- self.add_copy_spec(paths) ++ self.add_copy_spec(self.copypaths) + + def postproc(self): + self.do_file_sub( +@@ -51,5 +51,6 @@ class Anaconda(Plugin, RedHatPlugin): + r"(user.*--password=*\s*)\s*(\S*)", + r"\1********" + ) ++ self.do_paths_http_sub(self.copypaths) + + # vim: set et ts=4 sw=4 : +diff --git a/sos/report/plugins/apt.py b/sos/report/plugins/apt.py +index 857a11b6..464cfb98 100644 +--- a/sos/report/plugins/apt.py ++++ b/sos/report/plugins/apt.py +@@ -48,19 +48,11 @@ class Apt(Plugin, DebianPlugin, UbuntuPlugin): + def postproc(self): + super().postproc() + +- common_regex = r"(http(s)?://)\S+:\S+(@.*)" +- common_replace = r"\1******:******\3" +- +- files_to_sub = [ ++ self.do_paths_http_sub([ + "/etc/apt/sources.list", + "/etc/apt/sources.list.d/", + "/etc/apt/apt.conf", + "/etc/apt/apt.conf.d/", +- ] +- +- for file in files_to_sub: +- self.do_path_regex_sub( +- file, common_regex, common_replace +- ) ++ ]) + + # vim: set et ts=4 sw=4 : +diff --git a/sos/report/plugins/system.py b/sos/report/plugins/system.py +index cc282dc1..fcba1161 100644 +--- a/sos/report/plugins/system.py ++++ b/sos/report/plugins/system.py +@@ -40,5 +40,11 @@ class System(Plugin, IndependentPlugin): + "ld.so --list-tunables" + ]) + ++ def postproc(self): ++ self.do_paths_http_sub([ ++ "/etc/sysconfig", ++ "/etc/default", ++ "/etc/environment", ++ ]) + + # vim: set et ts=4 sw=4 : +diff --git a/sos/report/plugins/systemd.py b/sos/report/plugins/systemd.py +index a50a155e..b23b32fe 100644 +--- a/sos/report/plugins/systemd.py ++++ b/sos/report/plugins/systemd.py +@@ -95,4 +95,11 @@ class Systemd(Plugin, IndependentPlugin): + ]) + self.add_forbidden_path('/dev/null') + ++ def postproc(self): ++ self.do_paths_http_sub([ ++ "/etc/systemd/system", ++ "/lib/systemd/system", ++ "/run/systemd/system", ++ ]) ++ + # vim: set et ts=4 sw=4 : +-- +2.43.5 + diff --git a/sos.spec b/sos.spec index f7f20fc..6643c6f 100644 --- a/sos.spec +++ b/sos.spec @@ -5,7 +5,7 @@ Summary: A set of tools to gather troubleshooting information from a system Name: sos Version: 4.8.0 -Release: 3%{?dist} +Release: 4%{?dist} Group: Applications/System Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz Source1: sos-audit-%{auditversion}.tgz @@ -24,6 +24,7 @@ Conflicts: vdsm < 4.40 Obsoletes: sos-collector <= 1.9 Patch0: sos-Revert-changed-formatting.patch Patch1: sos-RHEL-22732-Fix-check_file_too_big.patch +Patch2: sos-obfuscate-environment.patch %description Sos is a set of tools that gathers information about system @@ -36,6 +37,7 @@ support technicians and developers. %setup -T -D -a1 -q %patch -P 0 -p1 %patch -P 1 -p1 +%patch -P 2 -p1 %build %py3_build @@ -108,6 +110,10 @@ of the system. Currently storage and filesystem commands are audited. %changelog +* Fri Sep 27 2024 Jan Jansky = 4.8.0-4 +- Added credentials obfuscation from multiple files + Resolves: RHEL-58096 + * Wed Sep 25 2024 Jan Jansky = 4.8.0-3 - Update 4.8.0 Resolves: RHEL-58096