From de5e07bbf1afa2ff33296379becfdbad35525dc8 Mon Sep 17 00:00:00 2001
From: "Bryn M. Reeves" <bmr@redhat.com>
Date: Mon, 23 Jun 2014 15:47:17 +0100
Subject: [PATCH 09/13] [bootloader] elide bootloader password
Backport of the following commits to rhel-6:
commit 6501013bb780161e941f5e078a6ed7052f670a51
Author: Bryn M. Reeves <bmr@redhat.com>
Date: Mon Jun 2 15:27:10 2014 +0100
Make sure grub password regex handles all cases
The regex to match passwords in grub.conf needs to handle both
the --md5 and non-md5 cases and to apply the substitution only
to the secret part (password or password hash).
This needs to deal with the fact that python will return 'None'
for unmatched pattern groups leading to an exception in re.subn()
if not all referenced groups match for a given string (in contrast
to e.g. the perl approach of treating these groups as the empty
string).
Make this explicit by using an empty alternate in the possibly
unmatched '--md5' group:
r"(password\s*)(--md5\s*|\s*)(.*)",
r"\1\2********"
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
commit 23182c4f13fbadc9b7c2ab75c1ca249d5ba987d1
Author: Bryn M. Reeves <bmr@redhat.com>
Date: Mon Jun 2 14:55:03 2014 +0100
Elide bootloader password in grub plugin
The grub.conf configuration file collected by the grub plugin may
contain a plaintext or md5 hashed bootloader password. Add a regex
substitution for all files matching '.*\/grub\.conf' and replace
the password with '*'s.
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
sos/plugins/bootloader.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sos/plugins/bootloader.py b/sos/plugins/bootloader.py
index e9bcea7..dd67c47 100644
--- a/sos/plugins/bootloader.py
+++ b/sos/plugins/bootloader.py
@@ -32,3 +32,10 @@ class bootloader(sos.plugintools.PluginBase):
self.collectExtOutput("/bin/ls -laR /boot")
return
+ def postproc(self):
+ self.doPathRegexSub(
+ r".*\/grub.conf",
+ r"(password\s*)(--md5\s*|\s*)(.*)",
+ r"\1\2********"
+ )
+
--
1.9.3