From de5e07bbf1afa2ff33296379becfdbad35525dc8 Mon Sep 17 00:00:00 2001 From: "Bryn M. Reeves" Date: Mon, 23 Jun 2014 15:47:17 +0100 Subject: [PATCH 09/13] [bootloader] elide bootloader password Backport of the following commits to rhel-6: commit 6501013bb780161e941f5e078a6ed7052f670a51 Author: Bryn M. Reeves Date: Mon Jun 2 15:27:10 2014 +0100 Make sure grub password regex handles all cases The regex to match passwords in grub.conf needs to handle both the --md5 and non-md5 cases and to apply the substitution only to the secret part (password or password hash). This needs to deal with the fact that python will return 'None' for unmatched pattern groups leading to an exception in re.subn() if not all referenced groups match for a given string (in contrast to e.g. the perl approach of treating these groups as the empty string). Make this explicit by using an empty alternate in the possibly unmatched '--md5' group: r"(password\s*)(--md5\s*|\s*)(.*)", r"\1\2********" Signed-off-by: Bryn M. Reeves commit 23182c4f13fbadc9b7c2ab75c1ca249d5ba987d1 Author: Bryn M. Reeves Date: Mon Jun 2 14:55:03 2014 +0100 Elide bootloader password in grub plugin The grub.conf configuration file collected by the grub plugin may contain a plaintext or md5 hashed bootloader password. Add a regex substitution for all files matching '.*\/grub\.conf' and replace the password with '*'s. Signed-off-by: Bryn M. Reeves --- sos/plugins/bootloader.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sos/plugins/bootloader.py b/sos/plugins/bootloader.py index e9bcea7..dd67c47 100644 --- a/sos/plugins/bootloader.py +++ b/sos/plugins/bootloader.py @@ -32,3 +32,10 @@ class bootloader(sos.plugintools.PluginBase): self.collectExtOutput("/bin/ls -laR /boot") return + def postproc(self): + self.doPathRegexSub( + r".*\/grub.conf", + r"(password\s*)(--md5\s*|\s*)(.*)", + r"\1\2********" + ) + -- 1.9.3