sos/sos-cluster-crm-report-password-sanitize.patch
Bryn M. Reeves 89b86368f8 Update spec file for sos-3.2-1
Update sos in rawhide to the upstream 3.2 release and additional
patches including the fix for CVE-2015-7529.
2015-12-16 15:53:30 +00:00

63 lines
2.4 KiB
Diff

From 0d2dd0d9ccc3242dd2dd4513924c8f308000242e Mon Sep 17 00:00:00 2001
From: Shane Bradley <sbradley@redhat.com>
Date: Wed, 6 May 2015 15:47:07 -0400
Subject: [PATCH] [cluster] enable crm_report password scrubbing
Default to specifying a password pattern of 'passw.*' when calling
the crm_report script. This causes matching strings to be elided
from the report data.
Since this scrubbing can affect the use of pacemaker state machine
snapshots for debugging the behaviour is controlled by a new option
that defaults to enabled: cluster.crm_scrub
This can be used to obtain an sosreport containing virgin crm_report
data with no password scrubbing:
# sosreport -k cluster.crm_scrub=False
Signed-off-by: Shane Bradley <sbradley@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
sos/plugins/cluster.py | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/sos/plugins/cluster.py b/sos/plugins/cluster.py
index 8dd9a4d..084c030 100644
--- a/sos/plugins/cluster.py
+++ b/sos/plugins/cluster.py
@@ -25,10 +25,12 @@ class Cluster(Plugin, RedHatPlugin):
plugin_name = 'cluster'
profiles = ('cluster',)
+
option_list = [
("gfs2lockdump", 'gather output of gfs2 lockdumps', 'slow', False),
("crm_from", 'specify the start time for crm_report', 'fast', False),
- ('lockdump', 'gather dlm lockdumps', 'slow', False)
+ ('lockdump', 'gather dlm lockdumps', 'slow', False),
+ ('crm_scrub', 'enable password scrubbing for crm_report', '', True),
]
packages = [
@@ -112,8 +114,14 @@ class Cluster(Plugin, RedHatPlugin):
"default" % self.get_option('crm_from'))
crm_dest = self.get_cmd_output_path(name='crm_report', make=False)
- self.add_cmd_output('crm_report -S -d --dest %s --from "%s"'
- % (crm_dest, crm_from))
+ crm_scrub = '-p "passw.*"'
+ if not self.get_option("crm_scrub"):
+ crm_scrub = ''
+ self._log_warn("scrubbing of crm passwords has been disabled:")
+ self._log_warn("data collected by crm_report may contain"
+ " sensitive values.")
+ self.add_cmd_output('crm_report %s -S -d --dest %s --from "%s"'
+ % (crm_scrub, crm_dest, crm_from))
def do_lockdump(self):
if self._mount_debug():
--
1.8.3.1