Project

General

Profile

Actions
Copy link

Feature #24506

open

filter out some RSA private keys which are logged by some /api/v2 requests

Added by Anonymous almost 7 years ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Katello 3.7.0
Red Hat JIRA:

Description

RSA private keys are written in /var/log/foreman/production.log which have a 644 default mode.


2018-08-01T07:51:30 [I|kat|] GET: https://foremanproxy01.mycompany.com/pulp/api/v2/repositories/f8a653cb-30f3-4a0e-8077-2c5398dfcddb/?details=true: {"content_type"=>"application/json", "accept"=>
"application/json"}
Response: 200: {"........

The JSON data sent as response to this GET request contains certificate and private key.
Maybe private keys should not be logged, or at a higher level. If I m not wrong, it s the "information" level but the answer payload is fully dumped in log file.

Actions
Copy link
 #1

Updated by Jonathon Turel almost 7 years ago

  • Target version set to Katello 3.9.0
  • Triaged changed from No to Yes
Actions
Copy link
 #2

Updated by Zach Huntington-Meath over 6 years ago

  • Target version changed from Katello 3.9.0 to Katello Backlog
Actions
Copy link
 #3

Updated by Ian Ballou 8 months ago

  • Target version deleted (Katello Backlog)
Actions
Copy link

Also available in: Atom PDF