From 85951981bbb80a77ddf13b3ba1ee1dae27e6bc6c Mon Sep 17 00:00:00 2001 From: Mark Gurevich Date: Tue, 29 Jun 2021 13:48:33 -0400 Subject: [PATCH 1/3] Redact passwords in log files --- xCAT-server/lib/perl/xCAT/xcatd.pm | 89 +++++++++++++++++++++++++++++- xCAT-server/sbin/xcatd | 2 + 2 files changed, 90 insertions(+), 1 deletion(-) diff --git a/xCAT-server/lib/perl/xCAT/xcatd.pm b/xCAT-server/lib/perl/xCAT/xcatd.pm index e0b1923fd..d65fcdb2d 100644 --- a/xCAT-server/lib/perl/xCAT/xcatd.pm +++ b/xCAT-server/lib/perl/xCAT/xcatd.pm @@ -271,7 +271,7 @@ sub validate { $saveArglist = "$first$restcommand"; } } - if ($arglist) { $logst .= $saveArglist; } + if ($arglist) { $logst .= redact_password($request->{command}->[0], $saveArglist); } if ($peername) { $logst .= " for " . $request->{username}->[0] } if ($peerhost) { $logst .= " from " . $peerhost } @@ -477,4 +477,91 @@ sub verifytoken { return undef; } } +# -------------------------------------------------------------------------------- + +=head3 redact_password + + Used to redact the password in command line parameters with 'x' + For example, command: rspconfig f6u13k18 'HMC_passwd=123' '*_passwd=abc,xyz' + + Arguments: + Type 1: + Called from sbin/xcatd to log command to /var/log/xcat/commands.log + + $class: Calling module name, for example: + xCAT::xcatd + $request: Single line string of the command + arguments, for example: + [Request] rspconfig f6u13k18 'HMC_passwd=123' '*_passwd=abc,xyz' + + Type 2: + Called from this module to log command to /var/log/messages and + /var/log/xcat/cluster.log + + $class: Command name sting, for example: + respconfig + $request: Single line string of arguments, for example: + f6u13k18 'HMC_passwd=123' '*_passwd=abc,xyz' + Returns string: + Type 1: + [Request] rspconfig f6u13k18 'HMC_passwd=xxx' '*_passwd=xxxxxxx' + + Type 2: + 'HMC_passwd=xxx' '*_passwd=xxxxxxx' +=cut + +# -------------------------------------------------------------------------------- +sub redact_password { + my $class = shift; + my $request = shift; + + my %commads_with_password = ( + bmcdiscover => { + flags => ["-p ", "-n "], + }, + rspconfig => { + flags => ["admin_passwd=","HMC_passwd=","general_passwd=","*_passwd=","USERID="], + }, + ); + + my $full_command; + my $header; + # split out command and its parameters and flags + if ($request =~ '\[Request\]') { + ($header, $full_command) = split('\[Request\]',$request,2); + } else { + $full_command = $class . " " . $request; + } + my ($command, $parameters) = split(' ',$full_command,2); + + # Check if passed in $command appears in the %commads_with_password hash + for (keys %commads_with_password) { + if ($_ eq $command) { + my @all_command_flags = split(' ', $parameters); + my $ref = $commads_with_password{$command}{flags}; + my @flags_array = @$ref; + foreach my $password_flag (@flags_array) { + # For each flag of the command from hash, check if passed in + # command flags match + my $flag_index = index ($parameters, $password_flag); + if ($flag_index >= 0) { + # Passed in command contains one of the flags, redact pw + my ($passwd, $rest) = split(/\s+/,substr($parameters, $flag_index+length($password_flag))); + if (index($passwd, "'") > 0) { + # Password and password flag was enclosed in "'", do not replace that quote with 'x' + substr($parameters, $flag_index+length($password_flag), length($passwd)) = "x" x (length($passwd)-1) . "'"; + } else { + # Replace password with the same number of 'x' + substr($parameters, $flag_index+length($password_flag), length($passwd)) = "x" x length($passwd); + } + } + } + } + } + # Return original request with password replaced by 'x' in $parameters string + if ($request =~ '\[Request\]') { + return $header . "[Request] " . $command . " " . $parameters; + } else { + return " " . $parameters; + } +} 1; diff --git a/xCAT-server/sbin/xcatd b/xCAT-server/sbin/xcatd index e229aa4d1..0492ed130 100755 --- a/xCAT-server/sbin/xcatd +++ b/xCAT-server/sbin/xcatd @@ -2862,6 +2862,8 @@ sub service_connection { } } } + # Replace passwords with 'x' + $cmdlog_alllog = xCAT::xcatd->redact_password($cmdlog_alllog); $cmdlog_alllog .= "\n[Response]\n"; # ----used for command log end---------- From 041e84727923649c6b6d8583a3b0b80a9549442c Mon Sep 17 00:00:00 2001 From: Mark Gurevich Date: Tue, 29 Jun 2021 14:19:41 -0400 Subject: [PATCH 2/3] Update comment --- xCAT-server/lib/perl/xCAT/xcatd.pm | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/xCAT-server/lib/perl/xCAT/xcatd.pm b/xCAT-server/lib/perl/xCAT/xcatd.pm index d65fcdb2d..07beeda1e 100644 --- a/xCAT-server/lib/perl/xCAT/xcatd.pm +++ b/xCAT-server/lib/perl/xCAT/xcatd.pm @@ -271,6 +271,7 @@ sub validate { $saveArglist = "$first$restcommand"; } } + # Replace passwords with 'x' if ($arglist) { $logst .= redact_password($request->{command}->[0], $saveArglist); } if ($peername) { $logst .= " for " . $request->{username}->[0] } if ($peerhost) { $logst .= " from " . $peerhost } @@ -490,20 +491,20 @@ sub verifytoken { $class: Calling module name, for example: xCAT::xcatd - $request: Single line string of the command + arguments, for example: - [Request] rspconfig f6u13k18 'HMC_passwd=123' '*_passwd=abc,xyz' + $request: Single line string of the header + command + arguments, for example: + header [Request] rspconfig f6u13k18 'HMC_passwd=123' '*_passwd=abc,xyz' Type 2: Called from this module to log command to /var/log/messages and /var/log/xcat/cluster.log $class: Command name sting, for example: - respconfig + rspconfig $request: Single line string of arguments, for example: - f6u13k18 'HMC_passwd=123' '*_passwd=abc,xyz' + 'HMC_passwd=123' '*_passwd=abc,xyz' Returns string: Type 1: - [Request] rspconfig f6u13k18 'HMC_passwd=xxx' '*_passwd=xxxxxxx' + header [Request] rspconfig f6u13k18 'HMC_passwd=xxx' '*_passwd=xxxxxxx' Type 2: 'HMC_passwd=xxx' '*_passwd=xxxxxxx' @@ -518,6 +519,9 @@ sub redact_password { bmcdiscover => { flags => ["-p ", "-n "], }, + mkhwconn => { + flags => ["-P "], + }, rspconfig => { flags => ["admin_passwd=","HMC_passwd=","general_passwd=","*_passwd=","USERID="], }, From c230b098b449e3a47d5b1a909f023456a56f3bb9 Mon Sep 17 00:00:00 2001 From: Mark Gurevich Date: Wed, 30 Jun 2021 14:31:37 -0400 Subject: [PATCH 3/3] Use a fixed redact string --- xCAT-server/lib/perl/xCAT/xcatd.pm | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/xCAT-server/lib/perl/xCAT/xcatd.pm b/xCAT-server/lib/perl/xCAT/xcatd.pm index 07beeda1e..bfe235174 100644 --- a/xCAT-server/lib/perl/xCAT/xcatd.pm +++ b/xCAT-server/lib/perl/xCAT/xcatd.pm @@ -514,6 +514,7 @@ sub verifytoken { sub redact_password { my $class = shift; my $request = shift; + my $redact_string = "xxxxxxxx"; my %commads_with_password = ( bmcdiscover => { @@ -550,13 +551,13 @@ sub redact_password { if ($flag_index >= 0) { # Passed in command contains one of the flags, redact pw my ($passwd, $rest) = split(/\s+/,substr($parameters, $flag_index+length($password_flag))); + my $pw_replacement = $redact_string; if (index($passwd, "'") > 0) { - # Password and password flag was enclosed in "'", do not replace that quote with 'x' - substr($parameters, $flag_index+length($password_flag), length($passwd)) = "x" x (length($passwd)-1) . "'"; - } else { - # Replace password with the same number of 'x' - substr($parameters, $flag_index+length($password_flag), length($passwd)) = "x" x length($passwd); + # Password and password flag was enclosed in "'", preserve that quote + $pw_replacement .= "'"; } + # Replace password with $pw_replacement + substr($parameters, $flag_index+length($password_flag), length($passwd)) = $pw_replacement; } } }