From 411fa59451a1aa92c0a480cf3757bdd4a3ced42b Mon Sep 17 00:00:00 2001 From: Karla Felix Date: Mon, 19 Aug 2024 12:58:34 -0300 Subject: [PATCH] Mask passwords in collected logs This commit will be updating the regex rule to add coverage to new patterns of password to be masked in collected logs. Test Plan: PASS: Run the sed command to *.log/*.txt file with passwords and verify every case was masked successfully. PASS: Do a full deploy and run the collect script and verify that all password are masked. Closes-Bug: 2077342 Change-Id: Ie4810a3b85c55d070fae489ad008e770a38093ca Signed-off-by: Karla Felix --- .../collector/scripts/collect_mask_passwords | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tools/collector/scripts/collect_mask_passwords b/tools/collector/scripts/collect_mask_passwords index 27b79df4..b06a59a2 100644 --- a/tools/collector/scripts/collect_mask_passwords +++ b/tools/collector/scripts/collect_mask_passwords @@ -109,6 +109,15 @@ sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g; s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g; s/(password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)'\''/\1:xxxxxx'\''/g; + s/(_password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g; + s/(_password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/; + s/('\''password for [^'\'']*'\'':)[^'\'']*/\1 xxxxxx/g; + s/('\''ansible_become_pass'\'':[[:space:]]*)[^'\'']*/\1 xxxxxx/g; + s/(ansible_become_pass)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/; + s/(ansible_ssh_pass'\'':[[:space:]]*)[^'\'']*/\1 xxxxxx/g; + s/('\''ansible'\'':)[^'\'']*'\''/\1'\''xxxxxx'\''/g; + s/(yes\/no'\'':)[^'\'']*'\''/\1'\''xxxxxx'\''/g; + s/(ansible_ssh_pass=)[^ ]*/\1xxxxxx/g; s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/; s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \ ${USER_HISTORY_FILES} \ @@ -116,11 +125,13 @@ sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) ${COLLECT_NAME_DIR}/var/log/bash.log \ ${COLLECT_NAME_DIR}/var/log/auth.log \ ${COLLECT_NAME_DIR}/var/log/user.log \ + ${COLLECT_NAME_DIR}/var/log/dcmanager/orchestrator.log \ ${COLLECT_NAME_DIR}/var/log/ldapscripts.log for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \ ${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \ ${COLLECT_NAME_DIR}/var/log/user.log.*.gz \ + ${COLLECT_NAME_DIR}/var/log/dcmanager/orchestrator.log.*.gz \ ${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz do zgrep -q -E 'snmp|password' $f || continue @@ -132,6 +143,15 @@ do s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g; s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g; s/(password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)'\''/\1:xxxxxx'\''/g; + s/(_password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g; + s/(_password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/; + s/('\''password for [^'\'']*'\'':)[^'\'']*/\1 xxxxxx/g; + s/('\''ansible_become_pass'\'':[[:space:]]*)[^'\'']*/\1 xxxxxx/g; + s/(ansible_become_pass)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/; + s/(ansible_ssh_pass'\'':[[:space:]]*)[^'\'']*/\1 xxxxxx/g; + s/('\''ansible'\'':)[^'\'']*'\''/\1'\''xxxxxx'\''/g; + s/(yes\/no'\'':)[^'\'']*'\''/\1'\''xxxxxx'\''/g; + s/(ansible_ssh_pass=)[^ ]*/\1xxxxxx/g; s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/; s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped gzip $unzipped