integ/tools/collector/scripts/collect_mask_passwords
Alex Kozyrev cdc60aac81 Barbican integration into logging/patching mechanisms.
- add barbican logs in syslog
- support no reboot patching for barbican processes
- get information about barbican in collect script

Change-Id: I75557a2d35d3861c2dee3d0a5a0960bebc6d0e48
Story: 2003108
Task: 27700
Depends-On: I6b0b0c90456627bebde2b834b339bc968100b6f9
Signed-off-by: Alex Kozyrev <alex.kozyrev@windriver.com>
2018-11-30 13:23:13 -05:00

125 lines
5.5 KiB
Bash

#! /bin/bash
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
COLLECT_NAME_DIR=$1
EXTRA_DIR=$2
# Strip the passwords from assorted config files
for conffile in \
${COLLECT_NAME_DIR}/etc/aodh/aodh.conf \
${COLLECT_NAME_DIR}/etc/barbican/barbican.conf \
${COLLECT_NAME_DIR}/etc/ceilometer/ceilometer.conf \
${COLLECT_NAME_DIR}/etc/cinder/cinder.conf \
${COLLECT_NAME_DIR}/etc/fm/fm.conf \
${COLLECT_NAME_DIR}/etc/glance/glance-api.conf \
${COLLECT_NAME_DIR}/etc/glance/glance-registry.conf \
${COLLECT_NAME_DIR}/etc/heat/heat.conf \
${COLLECT_NAME_DIR}/etc/ironic/ironic.conf \
${COLLECT_NAME_DIR}/etc/keystone/keystone.conf \
${COLLECT_NAME_DIR}/etc/magnum/magnum.conf \
${COLLECT_NAME_DIR}/etc/murano/murano.conf \
${COLLECT_NAME_DIR}/etc/neutron/metadata_agent.ini \
${COLLECT_NAME_DIR}/etc/neutron/neutron.conf \
${COLLECT_NAME_DIR}/etc/nfv/nfv_plugins/nfvi_plugins/config.ini \
${COLLECT_NAME_DIR}/etc/nova/nova.conf \
${COLLECT_NAME_DIR}/etc/nslcd.conf \
${COLLECT_NAME_DIR}/etc/openldap/slapd.conf.backup \
${COLLECT_NAME_DIR}/etc/openstack-dashboard/local_settings \
${COLLECT_NAME_DIR}/etc/panko/panko.conf \
${COLLECT_NAME_DIR}/etc/patching/patching.conf \
${COLLECT_NAME_DIR}/etc/proxy/nova-api-proxy.conf \
${COLLECT_NAME_DIR}/etc/rabbitmq/murano-rabbitmq.config \
${COLLECT_NAME_DIR}/etc/rabbitmq/rabbitmq.config \
${COLLECT_NAME_DIR}/etc/sysinv/api-paste.ini \
${COLLECT_NAME_DIR}/etc/sysinv/sysinv.conf \
${COLLECT_NAME_DIR}/var/extra/platform/sysinv/*/sysinv.conf.default \
${COLLECT_NAME_DIR}/etc/mtc.ini
do
if [ ! -f $conffile ]; then
continue
fi
sed -i -r 's/^(admin_password) *=.*/\1 = xxxxxx/;
s/^(auth_encryption_key) *=.*/\1 = xxxxxx/;
s/^(bindpw) .*/\1 xxxxxx/;
s/^(rootpw) .*/\1 xxxxxx/;
s/^(connection) *=.*/\1 = xxxxxx/;
s/^( *credentials) *=.*/\1 = xxxxxx/;
s/^(metadata_proxy_shared_secret) *=.*/\1 = xxxxxx/;
s/^(password) *=.*/\1 = xxxxxx/;
s/^(rabbit_password) *=.*/\1 = xxxxxx/;
s/^(sql_connection) *=.*/\1 = xxxxxx/;
s/^(stack_domain_admin_password) *=.*/\1 = xxxxxx/;
s/^(transport_url) *=.*/\1 = xxxxxx/;
s/^(SECRET_KEY) *=.*/\1 = xxxxxx/;
s/^(keystone_auth_pw) *=.*/\1 = xxxxxx/;
s/\{default_pass, <<\".*\">>\}/\{default_pass, <<\"xxxxxx\">>\}/' $conffile
done
find ${COLLECT_NAME_DIR} -name server-cert.pem | xargs --no-run-if-empty rm -f
rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/.keyring/*/python_keyring/crypted_pass.cfg
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
# Mask user passwords in sysinv db dump
if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;
/COPY i_community/, /^--/ s/^(([^\t]*\t){5})[^\t]*(\t.*)/\1xxxxxx\3/;
/COPY i_trap_destination/, /^--/ s/^(([^\t]*\t){6})[^\t]*(\t.*)/\1xxxxxx\3/;
s/(identity\t[^\t]*\tpassword\t)[^\t]*/\1xxxxxx/' \
${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt
fi
# Mask passwords in host profiles
grep -rl '\"name\": \"password\"' ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/ \
| xargs --no-run-if-empty perl -i -e '
$prev="";
while (<>)
{
if (/\"name\": \"password\"/)
{
$prev =~ s/\"value\": \".*\"/\"value\": \"xxxxxx\"/;
}
print $prev;
$prev=$_;
}
print $prev;'
# Cleanup snmp
sed -i -r 's/(rocommunity[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
sed -i -r 's/(trap2sink *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
# Mask passwords in bash.log and history logs
USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null)
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \
${USER_HISTORY_FILES} \
${COLLECT_NAME_DIR}/var/extra/history.info \
${COLLECT_NAME_DIR}/var/log/bash.log \
${COLLECT_NAME_DIR}/var/log/auth.log \
${COLLECT_NAME_DIR}/var/log/ldapscripts.log
for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \
${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \
${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz
do
zgrep -q 'snmp|password' $f || continue
gunzip $f
unzipped=${f%%.gz}
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped
gzip $unzipped
done