starlingx
/
utilities
Code Issues Proposed changes

Masking passwords with collect script 

Using collect script to mask cleartext password incidents
in /var/log/user.log, done by grepping for -password,
password: prefixes and headers and redacting password
with xxxxxx string, used user.log with cleartext
passwords to test

Partial-Bug: 1896116

Signed-off-by: Lu Yao Chen <luyao.chen@windriver.com>
Change-Id: I3a3c02b61994d53589d673b2335d0eb023adfac6
This commit is contained in:
Lu Yao Chen 2020-11-23 13:58:11 -05:00
parent 31f2d4d5cf
commit 43cd10d392
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
tools/collector/scripts/collect_mask_passwords
View File

@ -97,17 +97,21 @@ sed -i -r 's/(trap2sink *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/pla
USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null)
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \
${USER_HISTORY_FILES} \
${COLLECT_NAME_DIR}/var/extra/history.info \
${COLLECT_NAME_DIR}/var/log/bash.log \
${COLLECT_NAME_DIR}/var/log/auth.log \
${COLLECT_NAME_DIR}/var/log/user.log
${COLLECT_NAME_DIR}/var/log/ldapscripts.log
for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \
${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \
${COLLECT_NAME_DIR}/var/log/user.log.*.gz \
${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz
do
zgrep -q 'snmp|password' $f || continue
@ -115,9 +119,10 @@ do
unzipped=${f%%.gz}
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped
gzip $unzipped
done