← Back to team overview

fuel-dev team mailing list archive

Re: filtering out passwords from diagnostic snapshot

 

Bogdan,
Is it more time-consuming than simple grep?
Is the indexing done in real-time (at network transfer speed) ?


Aleksey Kasatkin

S. Software Developer | Mirantis, Inc. | http://www.mirantis.com
cell: +380938330852 | skype: alexeyk_ru


On Wed, Nov 20, 2013 at 10:46 AM, Bogdan Dobrelya <bdobrelia@xxxxxxxxxxxx>wrote:

>  On 11/20/2013 10:32 AM, Vladimir Kozhukalov wrote:
>
>  Thank you, Bogdan.
>
>  Is "password sanity checks" built-in feature in Elasticsearch? I've not
> managed to find anything about this feature. What exactly do you mean
> taking about "password sanity checks"? How can index help if the password
> looks like "admin" or something like this?
>
> Elasticsearch provides an API
> http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-search.htmland should be queried by nailgun for "password sanity checks" as well.
> Almost the same, as simple grepping could do, but much more flexible for
> big deployments.
>
>
>
>
> On Tue, Nov 19, 2013 at 3:04 PM, Bogdan Dobrelya <bdobrelia@xxxxxxxxxxxx>wrote:
>
>>   On 11/19/2013 12:18 PM, Vladimir Kozhukalov wrote:
>>
>> The issue is that when we make diagnostic snapshot we get files as they
>> are. Those files like /etc/astute.yaml contain plain text passwords which
>> are strongly desirable  to be filtered out from wherever they appear.
>>
>>  There are two major approaches here.
>>
>>  First is to use bare filtering such as sed. We have set of passwords
>> taken from database and we can find those pieces of plain text throughout
>> snapshot files and substitute them with something. The problem here is that
>> passwords can look like "1" or "admin", so we are enforced to filter out
>> all such occurrences. To avoid this problem we need to check passwords for
>> their strength. Strong passwords like "Ainei0oh" can be found and
>> substituted being sure that they are actual passwords and not meaningful
>> strings.
>>
>>  Second, you have data about where and how passwords appear. Those data
>> are something like set of regular expressions /(foo:\s+)(PASSWORD)(bar)$/
>> with file names. The problem here is that we need somehow to gather those
>> data and they eventually could turn out to be invalid so we are likely to
>> skip one of the occurrences.
>>
>>  Let's have a discussion about it and make a decision.
>>
>>  --
>> Vladimir Kozhukalov
>>
>>
>>   I believe we should consider all configuration files in snapshot as
>> documents and use any document based indexing systems, f.e. Elasticsearch,
>> to index it for every word inside, and to run *password sanity checks*against it. If none matches was found for password given, we consider it
>> OK, otherwise, it have to be changed and verified again...
>>
>> --
>> Best regards,
>> Bogdan Dobrelya,
>> Researcher TechLead, Mirantis, Inc.+38 (066) 051 07 53
>> Skype bogdando_at_yahoo.com
>> 38, Lenina ave.
>> Kharkov, Ukrainewww.mirantis.comwww.mirantis.rubdobrelia@xxxxxxxxxxxx
>>
>>
>
>
>  --
> Vladimir Kozhukalov
>
>
>
> --
> Best regards,
> Bogdan Dobrelya,
> Researcher TechLead, Mirantis, Inc.+38 (066) 051 07 53
> Skype bogdando_at_yahoo.com
> 38, Lenina ave.
> Kharkov, Ukrainewww.mirantis.comwww.mirantis.rubdobrelia@xxxxxxxxxxxx
>
>
> --
> Mailing list: https://launchpad.net/~fuel-dev
> Post to     : fuel-dev@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~fuel-dev
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

References