starlingx/utilities
Code Issues Proposed changes
utilities/tools/collector/scripts/collect_mask_passwords
Andy Ning 17c62bd5aa Remove secure hieradata files from collect 
Supporting controller puppet manifests apply following DOR introduces
cached hieradata which will be included in log collect.

This change updated collect to remove the secure hieradata files in the
cache as they contain clear text passwords.

Change-Id: I17542c9fd778107f065531d02c53c59581fc179e
Partial-Bug: 1904739
Depends-On: https://review.opendev.org/c/starlingx/config/+/765373
Signed-off-by: Andy Ning <andy.ning@windriver.com>
2020-12-03 13:43:37 -05:00

130 lines
5.9 KiB
Bash
Raw Blame History

#! /bin/bash
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
COLLECT_NAME_DIR=$1
EXTRA_DIR=$2
# Strip the passwords from assorted config files
for conffile in \
${COLLECT_NAME_DIR}/etc/aodh/aodh.conf \
${COLLECT_NAME_DIR}/etc/barbican/barbican.conf \
${COLLECT_NAME_DIR}/etc/ceilometer/ceilometer.conf \
${COLLECT_NAME_DIR}/etc/cinder/cinder.conf \
${COLLECT_NAME_DIR}/etc/fm/fm.conf \
${COLLECT_NAME_DIR}/etc/glance/glance-api.conf \
${COLLECT_NAME_DIR}/etc/glance/glance-registry.conf \
${COLLECT_NAME_DIR}/etc/heat/heat.conf \
${COLLECT_NAME_DIR}/etc/ironic/ironic.conf \
${COLLECT_NAME_DIR}/etc/keystone/keystone.conf \
${COLLECT_NAME_DIR}/etc/magnum/magnum.conf \
${COLLECT_NAME_DIR}/etc/murano/murano.conf \
${COLLECT_NAME_DIR}/etc/neutron/metadata_agent.ini \
${COLLECT_NAME_DIR}/etc/neutron/neutron.conf \
${COLLECT_NAME_DIR}/etc/nfv/nfv_plugins/nfvi_plugins/config.ini \
${COLLECT_NAME_DIR}/etc/nova/nova.conf \
${COLLECT_NAME_DIR}/etc/nslcd.conf \
${COLLECT_NAME_DIR}/etc/openldap/slapd.conf.backup \
${COLLECT_NAME_DIR}/etc/openstack-dashboard/local_settings \
${COLLECT_NAME_DIR}/etc/panko/panko.conf \
${COLLECT_NAME_DIR}/etc/patching/patching.conf \
${COLLECT_NAME_DIR}/etc/proxy/nova-api-proxy.conf \
${COLLECT_NAME_DIR}/etc/rabbitmq/murano-rabbitmq.config \
${COLLECT_NAME_DIR}/etc/rabbitmq/rabbitmq.config \
${COLLECT_NAME_DIR}/etc/sysinv/api-paste.ini \
${COLLECT_NAME_DIR}/etc/sysinv/sysinv.conf \
${COLLECT_NAME_DIR}/var/extra/platform/sysinv/*/sysinv.conf.default \
${COLLECT_NAME_DIR}/etc/mtc.ini
do
if [ ! -f $conffile ]; then
continue
fi
sed -i -r 's/^(admin_password) *=.*/\1 = xxxxxx/;
s/^(auth_encryption_key) *=.*/\1 = xxxxxx/;
s/^(bindpw) .*/\1 xxxxxx/;
s/^(rootpw) .*/\1 xxxxxx/;
s/^(connection) *=.*/\1 = xxxxxx/;
s/^( *credentials) *=.*/\1 = xxxxxx/;
s/^(metadata_proxy_shared_secret) *=.*/\1 = xxxxxx/;
s/^(password) *=.*/\1 = xxxxxx/;
s/^(rabbit_password) *=.*/\1 = xxxxxx/;
s/^(sql_connection) *=.*/\1 = xxxxxx/;
s/^(stack_domain_admin_password) *=.*/\1 = xxxxxx/;
s/^(transport_url) *=.*/\1 = xxxxxx/;
s/^(SECRET_KEY) *=.*/\1 = xxxxxx/;
s/^(keystone_auth_pw) *=.*/\1 = xxxxxx/;
s/\{default_pass, <<\".*\">>\}/\{default_pass, <<\"xxxxxx\">>\}/' $conffile
done
find ${COLLECT_NAME_DIR} -name server-cert.pem | xargs --no-run-if-empty rm -f
rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
rm -f ${COLLECT_NAME_DIR}/etc/puppet/cache/hieradata/secure*.yaml
# Mask user passwords in sysinv db dump
if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;
/COPY i_community/, /^--/ s/^(([^\t]*\t){5})[^\t]*(\t.*)/\1xxxxxx\3/;
/COPY i_trap_destination/, /^--/ s/^(([^\t]*\t){6})[^\t]*(\t.*)/\1xxxxxx\3/;
s/(identity\t[^\t]*\tpassword\t)[^\t]*/\1xxxxxx/' \
${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt
fi
# Mask passwords in host profiles
grep -rl '\"name\": \"password\"' ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/ \
| xargs --no-run-if-empty perl -i -e '
$prev="";
while (<>)
{
if (/\"name\": \"password\"/)
{
$prev =~ s/\"value\": \".*\"/\"value\": \"xxxxxx\"/;
}
print $prev;
$prev=$_;
}
print $prev;'
# Cleanup snmp
sed -i -r 's/(rocommunity[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
sed -i -r 's/(trap2sink *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
# Mask passwords in bash.log and history logs
USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null)
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \
${USER_HISTORY_FILES} \
${COLLECT_NAME_DIR}/var/extra/history.info \
${COLLECT_NAME_DIR}/var/log/bash.log \
${COLLECT_NAME_DIR}/var/log/auth.log \
${COLLECT_NAME_DIR}/var/log/user.log
${COLLECT_NAME_DIR}/var/log/ldapscripts.log
for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \
${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \
${COLLECT_NAME_DIR}/var/log/user.log.*.gz \
${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz
do
zgrep -q 'snmp|password' $f || continue
gunzip $f
unzipped=${f%%.gz}
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped
gzip $unzipped
done
View Git Blame Copy Permalink