rpms/sos
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Credentials obfuscation from multiple files

Browse Source 
Resolves: RHEL-58096

Signed-off-by: Jan Jansky <jjansky@redhat.com>
This commit is contained in:
Jan Jansky 2024-09-27 10:44:16 +02:00
parent f395777c55
commit 0700b161b0
2 changed files with 153 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
sos-obfuscate-environment.patch Normal file
View File

@ -0,0 +1,146 @@
From 60356d6b1096407ed9cd71cf519ac2a381bedee4 Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Fri, 27 Sep 2024 08:30:06 +0200
Subject: [PATCH 1/1] [plugins] Obfuscate http URL credentials
HTTP_PROXY or similar env.variables can contain credentials we must
scrub. The variables or directly credentials of a http(s) URL can be
specified in several places the commit deals with.
Futher, update apt plugin to use the new do_paths_httpp_sub method.
Resolves: #3789
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
sos/report/plugins/__init__.py | 15 +++++++++++++++
sos/report/plugins/anaconda.py | 9 +++++----
sos/report/plugins/apt.py | 12 ++----------
sos/report/plugins/system.py | 6 ++++++
sos/report/plugins/systemd.py | 7 +++++++
5 files changed, 35 insertions(+), 14 deletions(-)
diff --git a/sos/report/plugins/__init__.py b/sos/report/plugins/__init__.py
index f88f0c0d..9b54c68a 100644
--- a/sos/report/plugins/__init__.py
+++ b/sos/report/plugins/__init__.py
@@ -1313,6 +1313,21 @@ class Plugin():
replacements = 0
return replacements
+ def do_paths_http_sub(self, pathspecs):
+ """ Obfuscate credentials in *_PROXY variables in all files in the
+ given list. Proxy setting without protocol is ignored, since that
+ is not recommended setting and obfuscating that one can hit false
+ positives.
+
+ :param pathspecs: A filepath to obfuscate credentials in
+ :type pathspecs: ``str`` or a ``list`` of strings
+ """
+ if isinstance(pathspecs, str):
+ pathspecs = [pathspecs]
+ for path in pathspecs:
+ self.do_path_regex_sub(
+ path, r"(http(s)?://)\S+:\S+(@.*)", r"\1******:******\3")
+
def do_path_regex_sub(self, pathexp, regexp, subst):
"""Apply a regexp substituation to a set of files archived by
sos. The set of files to be substituted is generated by matching
diff --git a/sos/report/plugins/anaconda.py b/sos/report/plugins/anaconda.py
index 78577d3f..77f54d65 100644
--- a/sos/report/plugins/anaconda.py
+++ b/sos/report/plugins/anaconda.py
@@ -24,21 +24,21 @@ class Anaconda(Plugin, RedHatPlugin):
def setup(self):
- paths = [
+ self.copypaths = [
"/root/anaconda-ks.cfg"
]
if self.path_isdir('/var/log/anaconda'):
# new anaconda
- paths.append('/var/log/anaconda')
+ self.copypaths.append('/var/log/anaconda')
else:
- paths = paths + [
+ self.copypaths = self.copypaths + [
"/var/log/anaconda.*",
"/root/install.log",
"/root/install.log.syslog"
]
- self.add_copy_spec(paths)
+ self.add_copy_spec(self.copypaths)
def postproc(self):
self.do_file_sub(
@@ -51,5 +51,6 @@ class Anaconda(Plugin, RedHatPlugin):
r"(user.*--password=*\s*)\s*(\S*)",
r"\1********"
)
+ self.do_paths_http_sub(self.copypaths)
# vim: set et ts=4 sw=4 :
diff --git a/sos/report/plugins/apt.py b/sos/report/plugins/apt.py
index 857a11b6..464cfb98 100644
--- a/sos/report/plugins/apt.py
+++ b/sos/report/plugins/apt.py
@@ -48,19 +48,11 @@ class Apt(Plugin, DebianPlugin, UbuntuPlugin):
def postproc(self):
super().postproc()
- common_regex = r"(http(s)?://)\S+:\S+(@.*)"
- common_replace = r"\1******:******\3"
-
- files_to_sub = [
+ self.do_paths_http_sub([
"/etc/apt/sources.list",
"/etc/apt/sources.list.d/",
"/etc/apt/apt.conf",
"/etc/apt/apt.conf.d/",
- ]
-
- for file in files_to_sub:
- self.do_path_regex_sub(
- file, common_regex, common_replace
- )
+ ])
# vim: set et ts=4 sw=4 :
diff --git a/sos/report/plugins/system.py b/sos/report/plugins/system.py
index cc282dc1..fcba1161 100644
--- a/sos/report/plugins/system.py
+++ b/sos/report/plugins/system.py
@@ -40,5 +40,11 @@ class System(Plugin, IndependentPlugin):
"ld.so --list-tunables"
])
+ def postproc(self):
+ self.do_paths_http_sub([
+ "/etc/sysconfig",
+ "/etc/default",
+ "/etc/environment",
+ ])
# vim: set et ts=4 sw=4 :
diff --git a/sos/report/plugins/systemd.py b/sos/report/plugins/systemd.py
index a50a155e..b23b32fe 100644
--- a/sos/report/plugins/systemd.py
+++ b/sos/report/plugins/systemd.py
@@ -95,4 +95,11 @@ class Systemd(Plugin, IndependentPlugin):
])
self.add_forbidden_path('/dev/null')
+ def postproc(self):
+ self.do_paths_http_sub([
+ "/etc/systemd/system",
+ "/lib/systemd/system",
+ "/run/systemd/system",
+ ])
+
# vim: set et ts=4 sw=4 :
--
2.43.5

8
sos.spec
View File

@ -5,7 +5,7 @@
Summary: A set of tools to gather troubleshooting information from a system
Name: sos
Version: 4.8.0
Release: 3%{?dist}
Release: 4%{?dist}
Group: Applications/System
Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
Source1: sos-audit-%{auditversion}.tgz
@ -24,6 +24,7 @@ Conflicts: vdsm < 4.40
Obsoletes: sos-collector <= 1.9
Patch0: sos-Revert-changed-formatting.patch
Patch1: sos-RHEL-22732-Fix-check_file_too_big.patch
Patch2: sos-obfuscate-environment.patch
%description
Sos is a set of tools that gathers information about system
@ -36,6 +37,7 @@ support technicians and developers.
%setup -T -D -a1 -q
%patch -P 0 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%build
%py3_build
@ -108,6 +110,10 @@ of the system. Currently storage and filesystem commands are audited.
%changelog
* Fri Sep 27 2024 Jan Jansky <jjansky@redhat.com> = 4.8.0-4
- Added credentials obfuscation from multiple files
Resolves: RHEL-58096
* Wed Sep 25 2024 Jan Jansky <jjansky@redhat.com> = 4.8.0-3
- Update 4.8.0
Resolves: RHEL-58096