Details
Description
PRD says
Usernames, Passwords, Certificates, Document IDs, Document Keys and Values, Email Addresses and other sensitive data are absolutely not allowed to be stored in the System Event Log.
|
Currently, certificates can get logged in system event log. So I guess that is a problem.
[{"timestamp":"2022-01-12T18:50:24.163Z","event_id":9219,"component":"security","description":"LDAP configuration changed","severity":"info","node":"172.23.136.112","otp_node":"ns_1@172.23.136.112","uuid":"79216226-0268-4620-a343-e8cfb492ea0e","extra_attributes":{"old_settings":{"authenticationEnabled":false,"authorizationEnabled":false,"bindDN":"","bindPass":"","cacheValueLifetime":300000,"encryption":"None","failOnMaxDepth":false,"hosts":[],"maxCacheSize":10000,"maxParallelConnections":100,"nestedGroupsEnabled":false,"nestedGroupsMaxDepth":10,"port":389,"requestTimeout":5000,"serverCertValidation":true,"userDNMapping":{"template":"uid=%u,ou=users,dc=example,dc=com"}},"new_settings":{"authenticationEnabled":false,"authorizationEnabled":false,"bindDN":"","bindPass":"","cacert":"-----BEGIN CERTIFICATE-----\nMIIDAjCCAeqgAwIBAgIIFsmO4RQdsWUwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE\nAxMZQ291Y2hiYXNlIFNlcnZlciBhN2EwNDZiYjAeFw0xMzAxMDEwMDAwMDBaFw00\nOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgYTdhMDQ2\nYmIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCedMTNE5sXN/FMHzQ9\nK/r0rro95ouLnVS+qUeLjMuka9Gc2FliZOcspBdgMemQQXbxXQblAd6+nAY/F0sj\nBvMABOiERDLVLkohU3k1dzc6MUSomW8o3ne5lz1/HesYkD/cJOq5aMLxRJs2Hitc\nDYUstmKOIVOLR8fomTRDDhNEb8iVtE6Yy5Mq1DjRgB4dQd1HAzex4DUl5ajA9ZMY\ngBRerp1L2iylp/Jnn/A1X0KjBScbhqRPlFg/5ggJizWZGJYwEKgXa3SEZQ6nMKYh\nQa0wmJsEn7lOJKJy+obtgtoIT/B7L0/yV7OMRO5WzT1vKTzwYnjJ73+wEGE1KQh4\nUmfrAgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD\nATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBBdGlunjAkat33\nAnD/saSkkrU8l7oO2OiNnOhDqYyojeZQtBPGYeuaU023HctZs12CWcU3RldrK2j7\nVxvUOZvUgFc8uv65uSYhd79Cn1+s5tpk116p4uFZGUCQabeCgDSIIqoKTh31sBNz\n2u97aChi6qT/+6NWKWSGhItlVVccfLfrX7jtJTw90Y81WrQMaDcVRSlFzd5J82iC\nMJ18ZPRAZFLafhGnegYhHpq4XsG4FMfYYMcSWe5rY3F8esIHVbEmDE8GlogqkCmq\nEXSMseWzjhhemcvnRVjzteadXLcJxG/7ZUK4MUZaGpSfU1Ws+seMudG67ppJoJXg\nvKHBgsvO\n-----END CERTIFICATE-----","cacheValueLifetime":300000,"encryption":"TLS","failOnMaxDepth":false,"hosts":[],"maxCacheSize":10000,"maxParallelConnections":100,"nestedGroupsEnabled":false,"nestedGroupsMaxDepth":10,"port":389,"requestTimeout":5000,"serverCertValidation":true,"userDNMapping":{"template":"uid=%u,ou=users,dc=example,dc=com"}}}}]
|
(bindPassw and clientTLSkey are redacted fine - no issues there)
Attachments
For Gerrit Dashboard: MB-50368 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
168783,7 | MB-50368: Redact cacert key in ldap_cfg_changed event log | master | ns_server | Status: MERGED | +2 | +1 |
169633,3 | MB-50368: Redact ldap cfg keys in event log | master | ns_server | Status: MERGED | +2 | +1 |