From cbedcff40c44713c82c2e676d6dfcc8e502d3566 Mon Sep 17 00:00:00 2001
From: Robb Manes <robb.manes@gmail.com>
Date: Fri, 26 Oct 2018 18:01:46 -0600
Subject: [openswan] Forbid collection of secrets and certdb

When collecting IPSec data, currently nothing prevents the
collection of keys or the cert.db files.  Ensure we don't collect
this information as it is private.

Thanks to Robert Bost (@bostrt) for discovering this and Matt Rogers
(@mrogers950) for double checking what we should ignore.

Resolves: #1463

Signed-off-by: Robb Manes <rmanes@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/openswan.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sos/plugins/openswan.py b/sos/plugins/openswan.py
index 4011aeed..f9241660 100644
--- a/sos/plugins/openswan.py
+++ b/sos/plugins/openswan.py
@@ -36,6 +36,11 @@ class Openswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
         if self.get_option("ipsec-barf"):
             self.add_cmd_output("ipsec barf")
 
-        self.add_forbidden_path("/etc/ipsec.d/key[3-4].db")
+        self.add_forbidden_path([
+            '/etc/ipsec.secrets',
+            '/etc/ipsec.secrets.d/*',
+            '/etc/ipsec.d/*.db',
+            '/etc/ipsec.d/*.secrets'
+        ])
 
 # vim: set et ts=4 sw=4 :
-- 
cgit