#! /bin/bash # # Copyright (c) 2017 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # COLLECT_NAME_DIR=$1 EXTRA_DIR=$2 # Strip the passwords from assorted config files for conffile in \ ${COLLECT_NAME_DIR}/etc/aodh/aodh.conf \ ${COLLECT_NAME_DIR}/etc/barbican/barbican.conf \ ${COLLECT_NAME_DIR}/etc/ceilometer/ceilometer.conf \ ${COLLECT_NAME_DIR}/etc/cinder/cinder.conf \ ${COLLECT_NAME_DIR}/etc/fm/fm.conf \ ${COLLECT_NAME_DIR}/etc/glance/glance-api.conf \ ${COLLECT_NAME_DIR}/etc/glance/glance-registry.conf \ ${COLLECT_NAME_DIR}/etc/heat/heat.conf \ ${COLLECT_NAME_DIR}/etc/ironic/ironic.conf \ ${COLLECT_NAME_DIR}/etc/keystone/keystone.conf \ ${COLLECT_NAME_DIR}/etc/magnum/magnum.conf \ ${COLLECT_NAME_DIR}/etc/murano/murano.conf \ ${COLLECT_NAME_DIR}/etc/neutron/metadata_agent.ini \ ${COLLECT_NAME_DIR}/etc/neutron/neutron.conf \ ${COLLECT_NAME_DIR}/etc/nfv/nfv_plugins/nfvi_plugins/config.ini \ ${COLLECT_NAME_DIR}/etc/nova/nova.conf \ ${COLLECT_NAME_DIR}/etc/nslcd.conf \ ${COLLECT_NAME_DIR}/etc/openldap/slapd.conf.backup \ ${COLLECT_NAME_DIR}/etc/openstack-dashboard/local_settings \ ${COLLECT_NAME_DIR}/etc/panko/panko.conf \ ${COLLECT_NAME_DIR}/etc/patching/patching.conf \ ${COLLECT_NAME_DIR}/etc/proxy/nova-api-proxy.conf \ ${COLLECT_NAME_DIR}/etc/rabbitmq/murano-rabbitmq.config \ ${COLLECT_NAME_DIR}/etc/rabbitmq/rabbitmq.config \ ${COLLECT_NAME_DIR}/etc/sysinv/api-paste.ini \ ${COLLECT_NAME_DIR}/etc/sysinv/sysinv.conf \ ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/*/sysinv.conf.default \ ${COLLECT_NAME_DIR}/etc/mtc.ini do if [ ! -f $conffile ]; then continue fi sed -i -r 's/^(admin_password) *=.*/\1 = xxxxxx/; s/^(auth_encryption_key) *=.*/\1 = xxxxxx/; s/^(bindpw) .*/\1 xxxxxx/; s/^(rootpw) .*/\1 xxxxxx/; s/^(connection) *=.*/\1 = xxxxxx/; s/^( *credentials) *=.*/\1 = xxxxxx/; s/^(metadata_proxy_shared_secret) *=.*/\1 = xxxxxx/; s/^(password) *=.*/\1 = xxxxxx/; s/^(rabbit_password) *=.*/\1 = xxxxxx/; s/^(sql_connection) *=.*/\1 = xxxxxx/; s/^(stack_domain_admin_password) *=.*/\1 = xxxxxx/; s/^(transport_url) *=.*/\1 = xxxxxx/; s/^(SECRET_KEY) *=.*/\1 = xxxxxx/; s/^(keystone_auth_pw) *=.*/\1 = xxxxxx/; s/\{default_pass, <<\".*\">>\}/\{default_pass, <<\"xxxxxx\">>\}/' $conffile done find ${COLLECT_NAME_DIR} -name server-cert.pem | xargs --no-run-if-empty rm -f rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml rm -f ${COLLECT_NAME_DIR}/etc/puppet/cache/hieradata/secure*.yaml # Mask user passwords in sysinv db dump if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/; /COPY i_community/, /^--/ s/^(([^\t]*\t){5})[^\t]*(\t.*)/\1xxxxxx\3/; /COPY i_trap_destination/, /^--/ s/^(([^\t]*\t){6})[^\t]*(\t.*)/\1xxxxxx\3/; s/(identity\t[^\t]*\tpassword\t)[^\t]*/\1xxxxxx/' \ ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt fi # Mask passwords in host profiles grep -rl '\"name\": \"password\"' ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/ \ | xargs --no-run-if-empty perl -i -e ' $prev=""; while (<>) { if (/\"name\": \"password\"/) { $prev =~ s/\"value\": \".*\"/\"value\": \"xxxxxx\"/; } print $prev; $prev=$_; } print $prev;' # Cleanup snmp sed -i -r 's/(rocommunity[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/* sed -i -r 's/(trap2sink *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/* # Mask passwords in bash.log and history logs USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null) sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/; s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/; s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/; s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g; s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g; s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/; s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \ ${USER_HISTORY_FILES} \ ${COLLECT_NAME_DIR}/var/extra/history.info \ ${COLLECT_NAME_DIR}/var/log/bash.log \ ${COLLECT_NAME_DIR}/var/log/auth.log \ ${COLLECT_NAME_DIR}/var/log/user.log \ ${COLLECT_NAME_DIR}/var/log/ldapscripts.log for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \ ${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \ ${COLLECT_NAME_DIR}/var/log/user.log.*.gz \ ${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz do zgrep -q 'snmp|password' $f || continue gunzip $f unzipped=${f%%.gz} sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/; s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/; s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/; s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g; s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g; s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/; s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped gzip $unzipped done