Exclude private certificate and key files from collect

Collecting private keys and certificates is objectionable. This update adds /etc/kubernetes/pki to the collect exclude list so that its private keys and certificate files are not collected. This update then enhances collect's mask passwords plugin to pull in the public certificate files which do not pose a security risk and are useful during debug. Test Plan: PASS: Verify only the .crt files from the newly excluded dir are collected. Change-Id: Ia9e3e132d10fd31486b92742fb17147b36aa98c9 Closes-Bug: 1952676 Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2021-11-29 20:36:06 -05:00 · 2021-11-29 20:36:06 -05:00 · b948b19748
parent 9d95c5da1b
commit b948b19748
2 changed files with 8 additions and 0 deletions
--- a/tools/collector/scripts/collect_mask_passwords
+++ b/tools/collector/scripts/collect_mask_passwords
@ -66,6 +66,13 @@ rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
 rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
 rm -f ${COLLECT_NAME_DIR}/etc/puppet/cache/hieradata/secure*.yaml

+# dir /etc/kubernetes/pki was etc.excluded
+if [ -d "/etc/kubernetes/pki" ] ; then
+    # grab the public certificates if /etc/kubernetes/pki exists
+    mkdir -p ${COLLECT_NAME_DIR}/etc/kubernetes/pki
+    cp -a /etc/kubernetes/pki/*.crt ${COLLECT_NAME_DIR}/etc/kubernetes/pki 2>/dev/null 1>/dev/null
+fi
+
 # Mask user passwords in sysinv db dump
 if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
    sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;
--- a/tools/collector/scripts/etc.exclude
+++ b/tools/collector/scripts/etc.exclude
@ -38,3 +38,4 @@
 /etc/systemd/system/ctrl-alt-del.target
 /etc/ssl
 /etc/mtc/tmp
+/etc/kubernetes/pki