Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
Systems Engineering
-
1
-
SE 2017-01-25, SE 2017-02-08, SE 2017-02-22, SE 2017-03-08
-
New Feature
-
-
Manual
Description
If an exec is run as an inline sh script with an eyaml'd password variable, the password will get logged in plaintext on the console and agent if it fails. loglevel and logoutput don't do anything in this situation, as it's the command that's being displayed, not the output of the command. It was suggested to make the command into a script and run it that way, but that presents putting the password plaintext in the script, not a viable long-term solution.
Having the exec's inline sh script executed in this manner presents another issue. The same data is present in the cached catalog on agents in /opt/puppetlabs/puppet/cache/client_data/catalog/*.json. I imagine this issue is caught somewhere in https://tickets.puppetlabs.com/browse/PUP-1974.
Just an idea to branch off of the "sensitive" resource type mentioned in PUP-1974: Most passwords and sensitve data will be coming from an eyaml'd variable(at least, in our scenario). If there were a setting in puppet.conf that would mark all eyaml data as "sensitive", hashing or masking it in logs and cached catalogs, that might take care of the lion's share of sensitive information leaks. This would be in addition to being able "to give manifest/module authors the ability to specify resource properties (such as attributes or titles) which are sensitive".
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
PUP-7138 debug output of sensitive resources or attributes thereof should be redacted
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-
