starlingx/utilities
Code Issues Proposed changes
utilities/tools/collector/scripts/collect_mask_passwords
Karla Felix 411fa59451 Mask passwords in collected logs 
This commit will be updating the regex rule to add coverage to new
patterns of password to be masked in collected logs.

Test Plan:

PASS: Run the sed command to *.log/*.txt file with passwords and verify
      every case was masked successfully.
PASS: Do a full deploy and run the collect script and verify that all
      password are masked.

Closes-Bug: 2077342

Change-Id: Ie4810a3b85c55d070fae489ad008e770a38093ca
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
2024-08-22 16:09:47 -03:00

159 lines
7.7 KiB
Bash
Raw Blame History

#! /bin/bash
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
COLLECT_NAME_DIR=$1
EXTRA_DIR=$2
# Strip the passwords from assorted config files
for conffile in \
${COLLECT_NAME_DIR}/etc/aodh/aodh.conf \
${COLLECT_NAME_DIR}/etc/barbican/barbican.conf \
${COLLECT_NAME_DIR}/etc/ceilometer/ceilometer.conf \
${COLLECT_NAME_DIR}/etc/cinder/cinder.conf \
${COLLECT_NAME_DIR}/etc/fm/fm.conf \
${COLLECT_NAME_DIR}/etc/glance/glance-api.conf \
${COLLECT_NAME_DIR}/etc/glance/glance-registry.conf \
${COLLECT_NAME_DIR}/etc/heat/heat.conf \
${COLLECT_NAME_DIR}/etc/ironic/ironic.conf \
${COLLECT_NAME_DIR}/etc/keystone/keystone.conf \
${COLLECT_NAME_DIR}/etc/magnum/magnum.conf \
${COLLECT_NAME_DIR}/etc/murano/murano.conf \
${COLLECT_NAME_DIR}/etc/neutron/metadata_agent.ini \
${COLLECT_NAME_DIR}/etc/neutron/neutron.conf \
${COLLECT_NAME_DIR}/etc/nfv/nfv_plugins/nfvi_plugins/config.ini \
${COLLECT_NAME_DIR}/etc/nova/nova.conf \
${COLLECT_NAME_DIR}/etc/nslcd.conf \
${COLLECT_NAME_DIR}/etc/openldap/slapd.conf.backup \
${COLLECT_NAME_DIR}/etc/openstack-dashboard/local_settings \
${COLLECT_NAME_DIR}/etc/panko/panko.conf \
${COLLECT_NAME_DIR}/etc/patching/patching.conf \
${COLLECT_NAME_DIR}/etc/proxy/nova-api-proxy.conf \
${COLLECT_NAME_DIR}/etc/rabbitmq/murano-rabbitmq.config \
${COLLECT_NAME_DIR}/etc/rabbitmq/rabbitmq.config \
${COLLECT_NAME_DIR}/etc/sysinv/api-paste.ini \
${COLLECT_NAME_DIR}/etc/sysinv/sysinv.conf \
${COLLECT_NAME_DIR}/var/extra/platform/sysinv/*/sysinv.conf.default \
${COLLECT_NAME_DIR}/etc/mtc.ini
do
if [ ! -f $conffile ]; then
continue
fi
sed -i -r 's/^(admin_password) *=.*/\1 = xxxxxx/;
s/^(auth_encryption_key) *=.*/\1 = xxxxxx/;
s/^(bindpw) .*/\1 xxxxxx/;
s/^(rootpw) .*/\1 xxxxxx/;
s/^(connection) *=.*/\1 = xxxxxx/;
s/^( *credentials) *=.*/\1 = xxxxxx/;
s/^(metadata_proxy_shared_secret) *=.*/\1 = xxxxxx/;
s/^(password) *=.*/\1 = xxxxxx/;
s/^(rabbit_password) *=.*/\1 = xxxxxx/;
s/^(sql_connection) *=.*/\1 = xxxxxx/;
s/^(stack_domain_admin_password) *=.*/\1 = xxxxxx/;
s/^(transport_url) *=.*/\1 = xxxxxx/;
s/^(SECRET_KEY) *=.*/\1 = xxxxxx/;
s/^(keystone_auth_pw) *=.*/\1 = xxxxxx/;
s/\{default_pass, <<\".*\">>\}/\{default_pass, <<\"xxxxxx\">>\}/' $conffile
done
find ${COLLECT_NAME_DIR} -name server-cert.pem | xargs --no-run-if-empty rm -f
rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
rm -f ${COLLECT_NAME_DIR}/etc/puppet/cache/hieradata/secure*.yaml
# dir /etc/kubernetes/pki was etc.excluded
if [ -d "/etc/kubernetes/pki" ] ; then
# grab the public certificates if /etc/kubernetes/pki exists
mkdir -p ${COLLECT_NAME_DIR}/etc/kubernetes/pki
cp -a /etc/kubernetes/pki/*.crt ${COLLECT_NAME_DIR}/etc/kubernetes/pki 2>/dev/null 1>/dev/null
fi
# Mask user passwords in sysinv db dump
if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;
/COPY i_community/, /^--/ s/^(([^\t]*\t){5})[^\t]*(\t.*)/\1xxxxxx\3/;
/COPY i_trap_destination/, /^--/ s/^(([^\t]*\t){6})[^\t]*(\t.*)/\1xxxxxx\3/;
s/(identity\t[^\t]*\tpassword\t)[^\t]*/\1xxxxxx/' \
${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt
fi
# Mask passwords in host profiles
grep -rl '\"name\": \"password\"' ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/ \
| xargs --no-run-if-empty perl -i -e '
$prev="";
while (<>)
{
if (/\"name\": \"password\"/)
{
$prev =~ s/\"value\": \".*\"/\"value\": \"xxxxxx\"/;
}
print $prev;
$prev=$_;
}
print $prev;'
# Cleanup snmp
sed -i -r 's/(rocommunity[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
sed -i -r 's/(trap2sink *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
# Mask passwords in bash.log and history logs
USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null)
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
s/(password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)'\''/\1:xxxxxx'\''/g;
s/(_password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
s/(_password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/('\''password for [^'\'']*'\'':)[^'\'']*/\1 xxxxxx/g;
s/('\''ansible_become_pass'\'':[[:space:]]*)[^'\'']*/\1 xxxxxx/g;
s/(ansible_become_pass)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(ansible_ssh_pass'\'':[[:space:]]*)[^'\'']*/\1 xxxxxx/g;
s/('\''ansible'\'':)[^'\'']*'\''/\1'\''xxxxxx'\''/g;
s/(yes\/no'\'':)[^'\'']*'\''/\1'\''xxxxxx'\''/g;
s/(ansible_ssh_pass=)[^ ]*/\1xxxxxx/g;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \
${USER_HISTORY_FILES} \
${COLLECT_NAME_DIR}/var/extra/history.info \
${COLLECT_NAME_DIR}/var/log/bash.log \
${COLLECT_NAME_DIR}/var/log/auth.log \
${COLLECT_NAME_DIR}/var/log/user.log \
${COLLECT_NAME_DIR}/var/log/dcmanager/orchestrator.log \
${COLLECT_NAME_DIR}/var/log/ldapscripts.log
for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \
${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \
${COLLECT_NAME_DIR}/var/log/user.log.*.gz \
${COLLECT_NAME_DIR}/var/log/dcmanager/orchestrator.log.*.gz \
${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz
do
zgrep -q -E 'snmp|password' $f || continue
gunzip $f
unzipped=${f%%.gz}
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
s/(password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)'\''/\1:xxxxxx'\''/g;
s/(_password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
s/(_password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/('\''password for [^'\'']*'\'':)[^'\'']*/\1 xxxxxx/g;
s/('\''ansible_become_pass'\'':[[:space:]]*)[^'\'']*/\1 xxxxxx/g;
s/(ansible_become_pass)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(ansible_ssh_pass'\'':[[:space:]]*)[^'\'']*/\1 xxxxxx/g;
s/('\''ansible'\'':)[^'\'']*'\''/\1'\''xxxxxx'\''/g;
s/(yes\/no'\'':)[^'\'']*'\''/\1'\''xxxxxx'\''/g;
s/(ansible_ssh_pass=)[^ ]*/\1xxxxxx/g;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped
gzip $unzipped
done
View Git Blame Copy Permalink