diff options
| author | Jake Hunsaker <jhunsake@redhat.com> | 2016-06-28 15:58:54 -0400 |
|---|---|---|
| committer | Bryn M. Reeves <bmr@redhat.com> | 2016-06-29 14:12:54 +0100 |
| commit | d3cb5416571cd04d0a8e5025075d016259460c97 (patch) | |
| tree | 781acd2e0e0260970a2045fc531a4ddf1339cdae | |
| parent | c6d0d286a00afd0e5e8bad95249740e00904caa0 (diff) | |
| download | sos-d3cb5416571cd04d0a8e5025075d016259460c97.tar.gz | |
[Plugin] Add mechanism to remove certificates and keys from output
This adds a 'do_cmd_private_sub()' function that removes collected certificates
and keys. This function takes a cmd name to match against output collected, but
does not take a regexp or substituting string as does do_cmd_output_sub(). Any
found certificates or keys are replaced by a '-----SCRUBBED' line, e.g.:
"-----SCRUBBED CERTIFICATE-----"
or
"-----SCRUBBED RSA PRIVATE KEY-----"
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
| -rw-r--r-- | sos/plugins/__init__.py | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/sos/plugins/__init__.py b/sos/plugins/__init__.py index 532bd0c4..6f86553b 100644 --- a/sos/plugins/__init__.py +++ b/sos/plugins/__init__.py @@ -186,6 +186,40 @@ class Plugin(object): '''Is the package $package_name installed?''' return self.policy().pkg_by_name(package_name) is not None + def do_cmd_private_sub(self, cmd): + '''Remove certificate and key output archived by sosreport. cmd + is the command name from which output is collected (i.e. exlcuding + parameters). Any matching instances are replaced with: '-----SCRUBBED' + and this function does not take a regexp or substituting string. + + This function returns the number of replacements made. + ''' + globstr = '*' + cmd + '*' + self._log_debug("Scrubbing certs and keys for commands matching %s" + % (cmd)) + + if not self.executed_commands: + return 0 + + replacements = None + try: + for called in self.executed_commands: + if called['file'] is None: + continue + if fnmatch.fnmatch(called['exe'], globstr): + path = os.path.join(self.commons['cmddir'], called['file']) + readable = self.archive.open_file(path) + certmatch = re.compile("-----BEGIN.*?-----END", re.DOTALL) + result, replacements = certmatch.subn( + "-----SCRUBBED", readable.read()) + if replacements: + self.archive.add_string(result, path) + except Exception as e: + msg = "Certificate/key scrubbing failed for '%s' with: '%s'" + self._log_error(msg % (called['exe'], e)) + replacements = None + return replacements + def do_cmd_output_sub(self, cmd, regexp, subst): '''Apply a regexp substitution to command output archived by sosreport. cmd is the command name from which output is collected (i.e. excluding |