On Tue, Nov 19, 2013 at 3:04 PM, Bogdan Dobrelya
<bdobrelia@xxxxxxxxxxxx <mailto:bdobrelia@xxxxxxxxxxxx>> wrote:
On 11/19/2013 12:18 PM, Vladimir Kozhukalov wrote:
The issue is that when we make diagnostic snapshot we get files
as they are. Those files like /etc/astute.yaml contain plain text
passwords which are strongly desirable to be filtered out from
wherever they appear.
There are two major approaches here.
First is to use bare filtering such as sed. We have set of
passwords taken from database and we can find those pieces of
plain text throughout snapshot files and substitute them with
something. The problem here is that passwords can look like "1"
or "admin", so we are enforced to filter out all such
occurrences. To avoid this problem we need to check passwords for
their strength. Strong passwords like "Ainei0oh" can be found and
substituted being sure that they are actual passwords and not
meaningful strings.
Second, you have data about where and how passwords appear. Those
data are something like set of regular expressions
/(foo:\s+)(PASSWORD)(bar)$/ with file names. The problem here is
that we need somehow to gather those data and they eventually
could turn out to be invalid so we are likely to skip one of the
occurrences.
Let's have a discussion about it and make a decision.
--
Vladimir Kozhukalov
I believe we should consider all configuration files in snapshot
as documents and use any document based indexing systems, f.e.
Elasticsearch, to index it for every word inside, and to run
/password sanity checks/ against it. If none matches was found for
password given, we consider it OK, otherwise, it have to be
changed and verified again...
--
Best regards,
Bogdan Dobrelya,
Researcher TechLead, Mirantis, Inc.
+38 (066) 051 07 53
Skypebogdando_at_yahoo.com <http://bogdando_at_yahoo.com>
38, Lenina ave.
Kharkov, Ukraine
www.mirantis.com <http://www.mirantis.com>
www.mirantis.ru <http://www.mirantis.ru>
bdobrelia@xxxxxxxxxxxx <mailto:bdobrelia@xxxxxxxxxxxx>
--
Vladimir Kozhukalov
