Bug #18200
closed
Audit entries for encrypted oauth_consumer_secret created on app startup
Added by El Joppa about 8 years ago.
Updated almost 7 years ago.
Description
My audit log is mostly spammed by the following events:
updated Setting: oauth_consumer_secret
Value changed from [encrypted] to [encrypted]
Foreman 1.14
Files
|
foreman |
foreman |
1.96 KB
|
foreman crontab in /etc/cron.d |
Achim Ziegler, 03/01/2017 02:09 AM
|
|
- Category set to Audit Log
Same for me.
Is there a way to filter out this message in the audit ? The "setting" button is non clickable unfortunatelly.
I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.
I don't use puppet modules for managing my Foreman instance. However, when using foreman-rake, I'm still getting this output (and also have all the entries in the audit log.
root@sledge:~# foreman-rake config
Successfully encrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully encrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
[...]
Same for me, I don't manage foreman with puppet, althought the foreman server is managed by puppet, nothing relevant to Foreman is touched with Puppet.
The audit log entries related to this problem "updated Setting: oauth_consumer_secret" come regularly by block of 3-6 at the same time that could match the execution of Puppet agent on the node.
Michael, do you see new audits after running foreman-rake? I think these were different and harmless warnings.
Yvan, what are their times? Does each block start every e.g. 30 minutes? Could you check foreman production.log and see if there's some API call logged there for the same time?
I do see such entries in the audit log after a "foreman-rake config" or "foreman-rake console"
I don't see entries in foreman's production.log or cron.log when running puppet agent manually.
I don't see entries either when running foreman-rake config.
grep -i oauth *log | head
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_key
cron.log:Successfully encrypted field for Setting::Auth oauth_consumer_secret
cron.log:Successfully decrypted field for Setting::Auth oauth_consumer_secret
but when running foreman-rake config manually, I get this on stdout :
- foreman-rake config
Successfully encrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully decrypted field for Setting::Auth oauth_consumer_key
Successfully encrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
Successfully decrypted field for Setting::Auth oauth_consumer_secret
access_unattended_without_build: false
administrator: infrastructure@xxxx.yyyy
always_show_configuration_status: false
Marek Hulán wrote:
I wonder if you use puppet module to maintain you Foreman instance. I saw other users reporting that it runs "rake db:seed" with every run which might explain this.
I'm one of these users - db:seed and db:migrate all over the place. Because of this, we've removed the module from our Foreman servers - we don't want to actually seed/migrate stuff every 30 minutes for every foreman server.
Also, this is/was in 1.12 too.
Chris, would you mind opening a separate issue for this? It seems this one is unrelated.
The problem is caused by foreman-rake commands in the crontab, not by puppet
These messages are making our audit emails completely useless. Every day we get ~210 audits when nothing has been changed. All the audits are the encrypt/decrypt of oauth_consumer_key and oauth_consumer_secret.
We're using ldap auth and as per the recommendations in the documentation we use a cron job running
foreman-rake ldap:refresh_usergroups
to keep our ldap groups refreshed. This cron job results in these audit messages for oauth secret/key. Would be nice to not have them there!
- Status changed from New to Assigned
- Assignee set to Dominic Cleal
- Translation missing: en.field_release_relationship changed from auto to added
- Subject changed from audit log full of oauth_consumer_secret entries to Audit entries for encrypted oauth_consumer_secret created on app startup
Cause: encrypted settings (smtp_password, oauth_consumer_*) that are in settings.yaml will create audit entries on startup as Setting.create_existing will call #value= to set the value from settings.yaml. The (unchanged) value will be re-encrypted, creating new ciphertext and change what's stored in the DB each time, causing new audit entries.
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/4558 added
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
seems to work fine in 1.14.3 for me, just in case anyone else wants to apply this to a production install
- Translation missing: en.field_release set to 240
would we consider this to 1.15.z ? this is fairly annoying :-)
- Translation missing: en.field_release changed from 240 to 276
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Anonymous 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Dominic Cleal almost 8 years ago
Updated by The Foreman Bot almost 8 years ago
Updated by 
Updated by 
Updated by Daniel Lobato Garcia over 7 years ago