fuel-dev team mailing list archive

[Bogdan Dobrelya <bdobrelia@xxxxxxxxxxxx>]

On 11/19/2013 12:18 PM, Vladimir Kozhukalov wrote:
> The issue is that when we make diagnostic snapshot we get files as 
> they are. Those files like /etc/astute.yaml contain plain text 
> passwords which are strongly desirable  to be filtered out from 
> wherever they appear.
>
> There are two major approaches here.
>
> First is to use bare filtering such as sed. We have set of passwords 
> taken from database and we can find those pieces of plain text 
> throughout snapshot files and substitute them with something. The 
> problem here is that passwords can look like "1" or "admin", so we are 
> enforced to filter out all such occurrences. To avoid this problem we 
> need to check passwords for their strength. Strong passwords like 
> "Ainei0oh" can be found and substituted being sure that they are 
> actual passwords and not meaningful strings.
>
> Second, you have data about where and how passwords appear. Those data 
> are something like set of regular expressions 
> /(foo:\s+)(PASSWORD)(bar)$/ with file names. The problem here is that 
> we need somehow to gather those data and they eventually could turn 
> out to be invalid so we are likely to skip one of the occurrences.
>
> Let's have a discussion about it and make a decision.
>
> --
> Vladimir Kozhukalov
I believe we should consider all configuration files in snapshot as 
documents and use any document based indexing systems, f.e. 
Elasticsearch, to index it for every word inside, and to run /password 
sanity checks/ against it. If none matches was found for password given, 
we consider it OK, otherwise, it have to be changed and verified again...

--
Best regards,
Bogdan Dobrelya,
Researcher TechLead, Mirantis, Inc.
+38 (066) 051 07 53
Skype bogdando_at_yahoo.com
38, Lenina ave.
Kharkov, Ukraine
www.mirantis.com
www.mirantis.ru
bdobrelia@xxxxxxxxxxxx