diff options
author | Jake Hunsaker <jhunsake@redhat.com> | 2018-11-28 10:43:40 -0500 |
---|---|---|
committer | Bryn M. Reeves <bmr@redhat.com> | 2019-03-12 15:32:39 +0000 |
commit | bcc939b71842175010e60d0d063043e9f780c702 (patch) | |
tree | 6edde4cd061f1268719650beaaf0232a5bd56650 | |
parent | 749165e09da65d073ace7136dc29cfa28931b751 (diff) | |
download | sos-bcc939b71842175010e60d0d063043e9f780c702.tar.gz |
[podman|docker] Add postprocessing for container inspect output
Adds a postproc for the podman and docker plugins to attempt to
obfuscate sensitive keys in 'inspect' output for those runtimes.
Previously, these keys were being captured in plaintext which could lead
to passwords or similar being leaked when sysadmins configure containers
with environment variables (or similar) that contain this data.
Specifically, we match against 'key=value' pairs as that is how the
container runtimes accept and print these pairs, like so:
"Env": [
"mypassword=supersecret",
"container=oci"
],
By comparison, the inspect outputs now read like the following when a
potentially sensitive key is found:
"Env": [
"mypassword=********",
"container=oci"
],
Resolves: #1487
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
-rw-r--r-- | sos/plugins/docker.py | 17 | ||||
-rw-r--r-- | sos/plugins/podman.py | 16 |
2 files changed, 33 insertions, 0 deletions
diff --git a/sos/plugins/docker.py b/sos/plugins/docker.py index 69ac997e..3cce15ed 100644 --- a/sos/plugins/docker.py +++ b/sos/plugins/docker.py @@ -88,6 +88,23 @@ class Docker(Plugin): if self.get_option('logs'): self.add_cmd_output("docker logs -t %s" % container) + def postproc(self): + # Attempts to match key=value pairs inside container inspect output + # for potentially sensitive items like env vars that contain passwords. + # Typically, these will be seen in env elements or similar, and look + # like this: + # "Env": [ + # "mypassword=supersecret", + # "container=oci" + # ], + # This will mask values when the variable name looks like it may be + # something worth obfuscating. + + env_regexp = r'(?P<var>(pass|key|secret|PASS|KEY|SECRET).*?)=' \ + '(?P<value>.*?)"' + self.do_cmd_output_sub('*inspect*', env_regexp, + r'\g<var>=********"') + class RedHatDocker(Docker, RedHatPlugin): diff --git a/sos/plugins/podman.py b/sos/plugins/podman.py index 72e22558..cdf60043 100644 --- a/sos/plugins/podman.py +++ b/sos/plugins/podman.py @@ -74,5 +74,21 @@ class Podman(Plugin, RedHatPlugin, UbuntuPlugin): if self.get_option('logs'): self.add_cmd_output("podman logs -t %s" % container) + def postproc(self): + # Attempts to match key=value pairs inside container inspect output + # for potentially sensitive items like env vars that contain passwords. + # Typically, these will be seen in env elements or similar, and look + # like this: + # "Env": [ + # "mypassword=supersecret", + # "container=oci" + # ], + # This will mask values when the variable name looks like it may be + # something worth obfuscating. + + env_regexp = r'(?P<var>(pass|key|secret|PASS|KEY|SECRET).*?)=' \ + '(?P<value>.*?)"' + self.do_cmd_output_sub('*inspect*', env_regexp, + r'\g<var>=********"') # vim: set et ts=4 sw=4 : |