sosreport may collect configs that contain plaintext passwords

Solution Verified - Updated -

Issue

sosreport may collect configs that contain plaintext passwords.

  • In /var/lib/rhsm/repo_server_val/redhat.repo, we can specify a proxy username and password
# cat redhat.repo 
proxy=http://proxy.example.com:3128/
proxy_username=foobar
proxy_password=password
  • In /root/.cache/virt-manager/*, the login name and password for accessing the virtual machine console (VNC/SPICE) are recorded
The virsh plugin collects the following files/paths:

        "/root/.cache/virt-manager/*.log"
        "/root/.virt-manager/*.log"

This log contains virtual machine XML changes made by virt-manager, including password changes of Display Spice:

:
diff:
--- Original XML
+++ New XML
@@ -98,7 +98,7 @@
     </input>
     <input type="mouse" bus="ps2"/>
     <input type="keyboard" bus="ps2"/>
-    <graphics type="spice" autoport="yes" passwd="password">
+    <graphics type="spice" autoport="yes">
       <listen type="address"/>
     </graphics>
     <sound model="ich6">
:
  • In /var/lib/iscsi/nodes///default, we can specify iSCSI username and password
  # grep password etc/iscsi/iscsid.conf | grep \=
  #node.session.auth.password = password
  node.session.auth.password = password
  #node.session.auth.password_in = password_in
  node.session.auth.password_in = password_in
  #discovery.sendtargets.auth.password = password
  #discovery.sendtargets.auth.password_in = password_in

  # grep password var/lib/iscsi/nodes/iqn.2023-03.com.example\:storage.target00/xx.xx.xx.xx\,3260\,1/iface0 |grep \=
  node.session.auth.password = password
  node.session.auth.password_in = password_in
  • The XML configuration file /etc/autofs_ldap_auth.conf may contain an authentication secret in the tag
/etc/autofs_ldap_auth.conf

<autofs_ldap_sasl_conf
    usetls="no"
    tlsrequired="no"
    authrequired="no"
    secret="password"
/>
  • The dnf plugin does not scrub "password" or "proxy_password" in /etc/yum.conf and /etc/dnf/dnf.conf files
/etc/yum.conf or /etc/dnf/dnf.conf and add proxy/password configuration.

proxy=http://proxy.example.com:3128/
proxy_password=password
  • The postfix plugin of sos collects all files in /etc/postfix, including files that are maps containing cleartext passwords
/etc/postfix/main.cf:
    smtp_sasl_auth_enable = yes
    smtp_tls_security_level = encrypt
    smtp_sasl_tls_security_options = noanonymous
    relayhost = [mail.isp.example]
    # Alternative form:
    # relayhost = [mail.isp.example]:submission
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd  <----
  • The sudo plugin attempts to scrub the "bindpw" option from /etc/sudo-ldap.conf, however, makes the check case insensitive
/etc/sudo-ldap.conf:

BINDPW base64:aGFja21lCg==
bindpw base64:aGFja21lCg==

Actual results:
"bindpw" scrubbed
"BINDPW" not scrubbed

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • sosreport

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content