Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide the bgp password from logs #1721

Merged
merged 4 commits into from Nov 29, 2022
Merged

Hide the bgp password from logs #1721

merged 4 commits into from Nov 29, 2022

Conversation

fedepaol
Copy link
Member

We expose the password in the logs in two places:

  • when the speaker container dumps the configuration, because an error happened or because the log level is raised to debug
  • in the reloader container, every time an frr configuration gets generated

Here, in both places we replace the password before logging.

@cgoncalves
Copy link
Contributor

I'm of the opinion that logging the password when debug is on is useful when troubleshooting (only reason why one would enable debug)

yuvalk
yuvalk reviewed Nov 25, 2022
View reviewed changes
frr-reloader/frr-reloader.sh Outdated
@@ -14,14 +14,14 @@ reload_frr() {
kill_sleep

echo "Checking the configuration file syntax"
if ! python3 /usr/lib/frr/frr-reload.py --test --stdout "$FILE_TO_RELOAD" ; then
if ! python3 /usr/lib/frr/frr-reload.py --test --stdout "$FILE_TO_RELOAD" 2>&1 | sed 's/password.*/password xxxxx/g'; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

password <retracted>
is more descriptive of what happend here IMHO

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done, thanks!

@yuvalk
Copy link
Contributor

yuvalk commented Nov 25, 2022

I'm of the opinion that logging the password when debug is on is useful when troubleshooting (only reason why one would enable debug)

you can read the secret if what you need is (only) the password.
if you need the configuration, u can read it from debug log, and if you want to try it, you need to add the password in.

but getting the password from debug log is wrong.

consider the fact that logs can be stored on unencrypted disks and even in backups as well as (most common!) shipped to aggregator tools such as logstash/ splunk/ etc. so the opportunities of unauthorized access and data leak are growing.
best practices for secure coding is to treat passwords as secrets and as such mask them in logs. (or more generally - touch them as less as possible, dont carry them around, dont store them, etc.)

@fedepaol
Copy link
Member Author

I'm of the opinion that logging the password when debug is on is useful when troubleshooting (only reason why one would enable debug)

you can read the secret if what you need is (only) the password. if you need the configuration, u can read it from debug log, and if you want to try it, you need to add the password in.

but getting the password from debug log is wrong.

consider the fact that logs can be stored on unencrypted disks and even in backups as well as (most common!) shipped to aggregator tools such as logstash/ splunk/ etc. so the opportunities of unauthorized access and data leak are growing. best practices for secure coding is to treat passwords as secrets and as such mask them in logs. (or more generally - touch them as less as possible, dont carry them around, dont store them, etc.)

This, plus the fact that we can still rely on vtysh show running-config if we suspect the passwords are wrong / there's a drift between the configured password and the expected one make me tend to keep the current version

@fedepaol fedepaol force-pushed the hidepassword branch 2 times, most recently from 2cc0115 to 3588546 Compare November 28, 2022 08:50
oribon
oribon approved these changes Nov 29, 2022
View reviewed changes
Copy link
Member

@oribon oribon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@fedepaol
FRR Reloader: Hide the bgppeer password from the standard output
c41e124 
We obfuscate the password to avoid having it in clear in logs.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol
Logs: hide the password field when dumping the configuration
1a0702f 
When we have some errors or we have debug verb level enabled we dump the
full resources and the related configuration, including the bgp peer
password set by the user. Here we obfuscate it so it won't be visible in
logs.

Signed-off-by: Federico Paolinelli <fpaoline@redhat.com>
@fedepaol fedepaol merged commit cd7c88d into metallb:main Nov 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuvalk yuvalk yuvalk left review comments

@freedge freedge freedge left review comments

@oribon oribon oribon approved these changes

@rata rata Awaiting requested review from rata

@russellb russellb Awaiting requested review from russellb russellb is a code owner

@gclawes gclawes Awaiting requested review from gclawes gclawes is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@fedepaol @cgoncalves @yuvalk @freedge @oribon