rpms / sos

Clone
Source Code
GIT

Files

  1.   072790379f23552b1f121a7391658e6f6c1e1e32
  2.   SOURCES
  3.   sos-bz1164864-cluster-crm-report-password-sanitize.patch
Blob Blame History Raw 
From 0d2dd0d9ccc3242dd2dd4513924c8f308000242e Mon Sep 17 00:00:00 2001
From: Shane Bradley <sbradley@redhat.com>
Date: Wed, 6 May 2015 15:47:07 -0400
Subject: [PATCH] [cluster] enable crm_report password scrubbing

Default to specifying a password pattern of 'passw.*' when calling
the crm_report script. This causes matching strings to be elided
from the report data.

Since this scrubbing can affect the use of pacemaker state machine
snapshots for debugging the behaviour is controlled by a new option
that defaults to enabled: cluster.crm_scrub

This can be used to obtain an sosreport containing virgin crm_report
data with no password scrubbing:

  # sosreport -k cluster.crm_scrub=False

Signed-off-by: Shane Bradley <sbradley@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/cluster.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/sos/plugins/cluster.py b/sos/plugins/cluster.py
index 8dd9a4d..084c030 100644
--- a/sos/plugins/cluster.py
+++ b/sos/plugins/cluster.py
@@ -25,10 +25,12 @@ class Cluster(Plugin, RedHatPlugin):
 
     plugin_name = 'cluster'
     profiles = ('cluster',)
+
     option_list = [
         ("gfs2lockdump", 'gather output of gfs2 lockdumps', 'slow', False),
         ("crm_from", 'specify the start time for crm_report', 'fast', False),
-        ('lockdump', 'gather dlm lockdumps', 'slow', False)
+        ('lockdump', 'gather dlm lockdumps', 'slow', False),
+        ('crm_scrub', 'enable password scrubbing for crm_report', '', True),
     ]
 
     packages = [
@@ -112,8 +114,14 @@ class Cluster(Plugin, RedHatPlugin):
                     "default" % self.get_option('crm_from'))
 
         crm_dest = self.get_cmd_output_path(name='crm_report', make=False)
-        self.add_cmd_output('crm_report -S -d --dest %s --from "%s"'
-                            % (crm_dest, crm_from))
+        crm_scrub = '-p "passw.*"'
+        if not self.get_option("crm_scrub"):
+            crm_scrub = ''
+            self._log_warn("scrubbing of crm passwords has been disabled:")
+            self._log_warn("data collected by crm_report may contain"
+                           " sensitive values.")
+        self.add_cmd_output('crm_report %s -S -d --dest %s --from "%s"'
+                            % (crm_scrub, crm_dest, crm_from))
 
     def do_lockdump(self):
         if self._mount_debug():
-- 
1.8.3.1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation