Project

General

Profile

Feature #24506

filter out some RSA private keys which are logged by some /api/v2 requests

Added by Hart Mel about 1 year ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

RSA private keys are written in /var/log/foreman/production.log which have a 644 default mode.


2018-08-01T07:51:30 [I|kat|] GET: https://foremanproxy01.mycompany.com/pulp/api/v2/repositories/f8a653cb-30f3-4a0e-8077-2c5398dfcddb/?details=true: {"content_type"=>"application/json", "accept"=>
"application/json"}
Response: 200: {"........

The JSON data sent as response to this GET request contains certificate and private key.
Maybe private keys should not be logged, or at a higher level. If I m not wrong, it s the "information" level but the answer payload is fully dumped in log file.

History

#1 Updated by Jonathon Turel about 1 year ago

  • Triaged changed from No to Yes
  • Target version set to Katello 3.9.0

#2 Updated by Zach Huntington-Meath 11 months ago

  • Target version changed from Katello 3.9.0 to Katello Backlog

Also available in: Atom PDF