← Back to team overview

fuel-dev team mailing list archive

filtering out passwords from diagnostic snapshot

 

The issue is that when we make diagnostic snapshot we get files as they
are. Those files like /etc/astute.yaml contain plain text passwords which
are strongly desirable  to be filtered out from wherever they appear.

There are two major approaches here.

First is to use bare filtering such as sed. We have set of passwords taken
from database and we can find those pieces of plain text throughout
snapshot files and substitute them with something. The problem here is that
passwords can look like "1" or "admin", so we are enforced to filter out
all such occurrences. To avoid this problem we need to check passwords for
their strength. Strong passwords like "Ainei0oh" can be found and
substituted being sure that they are actual passwords and not meaningful
strings.

Second, you have data about where and how passwords appear. Those data are
something like set of regular expressions /(foo:\s+)(PASSWORD)(bar)$/ with
file names. The problem here is that we need somehow to gather those data
and they eventually could turn out to be invalid so we are likely to skip
one of the occurrences.

Let's have a discussion about it and make a decision.

-- 
Vladimir Kozhukalov

Follow ups