Skip to content

Commit

Permalink
[ipa] Capture more cert information and other fixes
Browse files Browse the repository at this point in the history 
More cert information is captured, the "ipa-replica-manage"
commands removed because they would timeout because
a password was needed, sanitize some collected data,
and some logs with wildcards were not properly collected
is now fixed.

Fixes: #754

Signed-off-by: Shane Bradley <sbradley@redhat.com>
  • Loading branch information
@sbradley7777
sbradley7777 committed Feb 2, 2016
1 parent 691e629 commit 594c2fd
Showing 1 changed file with 21 additions and 11 deletions.
32 changes: 21 additions & 11 deletions sos/plugins/ipa.py
View file
Expand Up @@ -15,6 +15,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

from sos.plugins import Plugin, RedHatPlugin
from glob import glob


class Ipa(Plugin, RedHatPlugin):
Expand Down Expand Up @@ -56,40 +57,49 @@ def setup(self):
"/etc/dirsrv/slapd-*/dse.ldif",
"/etc/dirsrv/slapd-*/schema/99user.ldif",
"/etc/hosts",
"/etc/named.*"
"/etc/named.*",
"/etc/pki-ca/CS.cfg",
"/etc/ipa/ca.crt",
"/etc/ipa/default.conf",
"/var/lib/certmonger/requests/[0-9]*",
"/var/lib/certmonger/cas/[0-9]*"
])

self.add_forbidden_path("/etc/pki/nssdb/key*")
self.add_forbidden_path("/etc/pki-ca/flatfile.txt")
self.add_forbidden_path("/etc/pki-ca/password.conf")
self.add_forbidden_path("/var/lib/pki-ca/alias/key*")

self.add_forbidden_path("/etc/dirsrv/slapd-*/key*")
self.add_forbidden_path("/etc/dirsrv/slapd-*/pin.txt")
self.add_forbidden_path("/etc/dirsrv/slapd-*/pwdfile.txt")

self.add_forbidden_path("/etc/named.keytab")

self.add_cmd_output([
"ls -la /etc/dirsrv/slapd-*/schema/",
"ipa-getcert list",
"getcert list",
"certutil -L -d /var/lib/pki-ca/alias",
"certutil -L -d /etc/httpd/alias/",
"certutil -L -d /etc/dirsrv/slapd-*/",
"klist -ket /etc/dirsrv/ds.keytab",
"klist -ket /etc/httpd/conf/ipa.keytab"
])

hostname = self.call_ext_prog('hostname')['output']
self.add_cmd_output([
"ipa-replica-manage -v list",
"ipa-replica-manage -v list %s" % hostname
], timeout=30)
for certdb_directory in glob("/etc/dirsrv/slapd-*/"):
self.add_cmd_output(["certutil -L -d %s" % certdb_directory])
return

def postproc(self):
match = r"(\s*arg \"password )[^\"]*"
subst = r"\1********"
self.do_file_sub("/etc/named.conf", match, subst)

self.do_cmd_output_sub("getcert list",
r"(pin=)'(\d+)'",
r"\1'***'")

request_logs = "/var/lib/certmonger/requests/[0-9]*"

This comment has been minimized.

Sign in to view

Copy link
@nalind

nalind Feb 2, 2016

Please change this to
request_logs = "/var/lib/certmonger/requests/*"

This comment has been minimized.

Sign in to view

Copy link
@bmr-cymru

bmr-cymru Feb 3, 2016

Member

What is placed here currently that requires this processing but doesn't match the glob?

This comment has been minimized.

Sign in to view

Copy link
@nalind

nalind Feb 3, 2016

Currently, nothing. In the future, the naming convention can change, and I'd rather not lose diagnostic information if I forget about an assumption that's being made elsewhere.

This comment has been minimized.

Sign in to view

Copy link
@bmr-cymru

bmr-cymru Feb 3, 2016

Member

This line does not collect data - it's doing pattern substitution on previously collected files.

This comment has been minimized.

Sign in to view

Copy link
@nalind

nalind Feb 3, 2016

You're right, this should apply to lines 64 and 65 as well.
for request_log in glob(request_logs):
self.do_file_sub(request_log,
r"(key_pin=)(\d+)",
r"\1***")


# vim: set et ts=4 sw=4 :

0 comments on commit 594c2fd

Please sign in to comment.