diff options
author | Jake Hunsaker <jhunsake@redhat.com> | 2022-04-18 15:18:20 -0400 |
---|---|---|
committer | Jake Hunsaker <jhunsake@redhat.com> | 2022-06-15 16:01:14 -0400 |
commit | 56b72eff6cd578556dfc09a1a062e5ed18753c11 (patch) | |
tree | ae63d802aa6805b10fbadb2c0015326d8c838761 | |
parent | c55d6b8fb0d90fba4182f7cdf6d753652f119fd9 (diff) | |
download | sos-56b72eff6cd578556dfc09a1a062e5ed18753c11.tar.gz |
[cleaner] Allow disabling specific parsers individually
Adds a new `--disable-parsers` option that allows users to selectively
disable parsers for a given execution of `sos clean`.
This may be useful in specific scenarios where obfuscation is not
strictly needed for all the types of data we obfuscate, and where the
user trusts whomever may be receiving the archive for review.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
-rw-r--r-- | man/en/sos-clean.1 | 12 | ||||
-rw-r--r-- | sos/cleaner/__init__.py | 17 | ||||
-rw-r--r-- | sos/collector/__init__.py | 5 | ||||
-rw-r--r-- | sos/report/__init__.py | 5 | ||||
-rw-r--r-- | tests/cleaner_tests/report_disabled_parsers.py | 61 |
5 files changed, 100 insertions, 0 deletions
diff --git a/man/en/sos-clean.1 b/man/en/sos-clean.1 index 358ec0cb..7fd2df08 100644 --- a/man/en/sos-clean.1 +++ b/man/en/sos-clean.1 @@ -4,6 +4,7 @@ sos clean - Obfuscate sensitive data from one or more sosreports .SH SYNOPSIS .B sos clean TARGET [options] [\-\-domains] + [\-\-disable-parsers] [\-\-keywords] [\-\-keyword-file] [\-\-map-file] @@ -51,6 +52,17 @@ match a domain given via this option will also be obfuscated. For example, if \fB\-\-domains redhat.com\fR is specified, then 'redhat.com' will be obfuscated, as will 'www.redhat.com' and subdomains such as 'foo.redhat.com'. .TP +.B \-\-disable-parsers PARSERS +Provide a comma-delimited list of parsers to disable when cleaning an archive. By +default all parsers are enabled. + +Note that using this option is very likely to leave sensitive information in place in +the target archive, so only use this option when absolutely necessary or you have complete +trust in the party/parties that may handle the generated report. + +Valid values for this option are currently: \fBhostname\fR, \fBip\fR, \fBmac\fR, \fBkeyword\fR, +and \fBusername\fR. +.TP .B \-\-keywords KEYWORDS Provide a comma-delimited list of keywords to scrub in addition to the default parsers. diff --git a/sos/cleaner/__init__.py b/sos/cleaner/__init__.py index 0f1458d7..a6a7fa7a 100644 --- a/sos/cleaner/__init__.py +++ b/sos/cleaner/__init__.py @@ -76,6 +76,7 @@ class SoSCleaner(SoSComponent): arg_defaults = { 'archive_type': 'auto', 'domains': [], + 'disable_parsers': [], 'jobs': 4, 'keywords': [], 'keyword_file': None, @@ -127,6 +128,18 @@ class SoSCleaner(SoSComponent): SoSUsernameParser(self.cleaner_mapping, self.opts.usernames) ] + for _parser in self.opts.disable_parsers: + for _loaded in self.parsers: + _loaded_name = _loaded.name.lower().split('parser')[0].strip() + if _parser.lower().strip() == _loaded_name: + self.log_info("Disabling parser: %s" % _loaded_name) + self.ui_log.warn( + "Disabling the '%s' parser. Be aware that this may " + "leave sensitive plain-text data in the archive." + % _parser + ) + self.parsers.remove(_loaded) + self.archive_types = [ SoSReportDirectory, SoSReportArchive, @@ -239,6 +252,10 @@ third party. 'was generated as')) clean_grp.add_argument('--domains', action='extend', default=[], help='List of domain names to obfuscate') + clean_grp.add_argument('--disable-parsers', action='extend', + default=[], dest='disable_parsers', + help=('Disable specific parsers, so that those ' + 'elements are not obfuscated')) clean_grp.add_argument('-j', '--jobs', default=4, type=int, help='Number of concurrent archives to clean') clean_grp.add_argument('--keywords', action='extend', default=[], diff --git a/sos/collector/__init__.py b/sos/collector/__init__.py index 66c3d932..5883c14c 100644 --- a/sos/collector/__init__.py +++ b/sos/collector/__init__.py @@ -80,6 +80,7 @@ class SoSCollector(SoSComponent): 'cluster_type': None, 'container_runtime': 'auto', 'domains': [], + 'disable_parsers': [], 'enable_plugins': [], 'encrypt_key': '', 'encrypt_pass': '', @@ -451,6 +452,10 @@ class SoSCollector(SoSComponent): cleaner_grp.add_argument('--domains', dest='domains', default=[], action='extend', help='Additional domain names to obfuscate') + cleaner_grp.add_argument('--disable-parsers', action='extend', + default=[], dest='disable_parsers', + help=('Disable specific parsers, so that ' + 'those elements are not obfuscated')) cleaner_grp.add_argument('--keywords', action='extend', default=[], dest='keywords', help='List of keywords to obfuscate') diff --git a/sos/report/__init__.py b/sos/report/__init__.py index b9e6620f..5322e658 100644 --- a/sos/report/__init__.py +++ b/sos/report/__init__.py @@ -86,6 +86,7 @@ class SoSReport(SoSComponent): 'keep_binary_files': False, 'desc': '', 'domains': [], + 'disable_parsers': [], 'dry_run': False, 'estimate_only': False, 'experimental': False, @@ -346,6 +347,10 @@ class SoSReport(SoSComponent): cleaner_grp.add_argument('--domains', dest='domains', default=[], action='extend', help='Additional domain names to obfuscate') + cleaner_grp.add_argument('--disable-parsers', action='extend', + default=[], dest='disable_parsers', + help=('Disable specific parsers, so that ' + 'those elements are not obfuscated')) cleaner_grp.add_argument('--keywords', action='extend', default=[], dest='keywords', help='List of keywords to obfuscate') diff --git a/tests/cleaner_tests/report_disabled_parsers.py b/tests/cleaner_tests/report_disabled_parsers.py new file mode 100644 index 00000000..84af7893 --- /dev/null +++ b/tests/cleaner_tests/report_disabled_parsers.py @@ -0,0 +1,61 @@ +# This file is part of the sos project: https://github.com/sosreport/sos +# +# This copyrighted material is made available to anyone wishing to use, +# modify, copy, or redistribute it subject to the terms and conditions of +# version 2 of the GNU General Public License. +# +# See the LICENSE file in the source distribution for further information. + +from sos_tests import StageOneReportTest, StageTwoReportTest + + +ARCHIVE = 'sosreport-cleanertest-2021-08-03-qpkxdid.tar.xz' + +class ReportDisabledParsersTest(StageOneReportTest): + """Run report with selected disabled parsers and ensure those parsers are + in fact disabled and unused. + + :avocado: tags=stageone + """ + + sos_cmd = '--clean -o host,kernel,networking --disable-parsers=ip' + + def test_local_ip_not_obfuscated(self): + self.assertFileHasContent('ip_addr', self.sysinfo['pre']['networking']['ip_addr']) + + def test_disable_message_logged(self): + self.assertSosLogContains('Disabling parser: ip') + + def test_ui_log_message_shown(self): + self.assertSosUILogContains( + '.*Be aware that this may leave sensitive plain-text data in the archive.' + ) + + # make sure that the other parsers remain functional + def test_localhost_was_obfuscated(self): + self.assertFileHasContent('/etc/hostname', 'host0') + + def test_mac_addrs_were_obfuscated(self): + content = self.get_file_content('sos_commands/networking/ip_maddr_show') + for line in content.splitlines(): + if line.strip().startswith('link'): + mac = line.strip().split()[1] + assert mac.startswith('53:4f:53'), "Found unobfuscated mac addr %s" % mac + + +class NativeCleanDisabledParsersTest(StageTwoReportTest): + """Ensure that disabling parsers works when calling 'clean' directly as + well. + + :avocado: tags=stagetwo + """ + + sos_cmd = "--disable-parsers=hostname tests/test_data/%s" % ARCHIVE + sos_component = 'clean' + + def test_localhost_not_obfuscated(self): + self.assertFileNotHasContent('/etc/hostname', self.sysinfo['pre']['networking']['hostname']) + self.assertFileNotHasContent('uname', self.sysinfo['pre']['networking']['hostname']) + + def test_local_ip_was_obfuscated(self): + self.assertFileNotHasContent('ip_addr', self.sysinfo['pre']['networking']['ip_addr']) |