Bogdan, Is it more time-consuming than simple grep? Is the indexing done in real-time (at network transfer speed) ?
Aleksey Kasatkin S. Software Developer | Mirantis, Inc. | http://www.mirantis.com cell: +380938330852 | skype: alexeyk_ru On Wed, Nov 20, 2013 at 10:46 AM, Bogdan Dobrelya <[email protected]>wrote: > On 11/20/2013 10:32 AM, Vladimir Kozhukalov wrote: > > Thank you, Bogdan. > > Is "password sanity checks" built-in feature in Elasticsearch? I've not > managed to find anything about this feature. What exactly do you mean > taking about "password sanity checks"? How can index help if the password > looks like "admin" or something like this? > > Elasticsearch provides an API > http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-search.htmland > should be queried by nailgun for "password sanity checks" as well. > Almost the same, as simple grepping could do, but much more flexible for > big deployments. > > > > > On Tue, Nov 19, 2013 at 3:04 PM, Bogdan Dobrelya > <[email protected]>wrote: > >> On 11/19/2013 12:18 PM, Vladimir Kozhukalov wrote: >> >> The issue is that when we make diagnostic snapshot we get files as they >> are. Those files like /etc/astute.yaml contain plain text passwords which >> are strongly desirable to be filtered out from wherever they appear. >> >> There are two major approaches here. >> >> First is to use bare filtering such as sed. We have set of passwords >> taken from database and we can find those pieces of plain text throughout >> snapshot files and substitute them with something. The problem here is that >> passwords can look like "1" or "admin", so we are enforced to filter out >> all such occurrences. To avoid this problem we need to check passwords for >> their strength. Strong passwords like "Ainei0oh" can be found and >> substituted being sure that they are actual passwords and not meaningful >> strings. >> >> Second, you have data about where and how passwords appear. Those data >> are something like set of regular expressions /(foo:\s+)(PASSWORD)(bar)$/ >> with file names. The problem here is that we need somehow to gather those >> data and they eventually could turn out to be invalid so we are likely to >> skip one of the occurrences. >> >> Let's have a discussion about it and make a decision. >> >> -- >> Vladimir Kozhukalov >> >> >> I believe we should consider all configuration files in snapshot as >> documents and use any document based indexing systems, f.e. Elasticsearch, >> to index it for every word inside, and to run *password sanity >> checks*against it. If none matches was found for password given, we consider >> it >> OK, otherwise, it have to be changed and verified again... >> >> -- >> Best regards, >> Bogdan Dobrelya, >> Researcher TechLead, Mirantis, Inc.+38 (066) 051 07 53 >> Skype bogdando_at_yahoo.com >> 38, Lenina ave. >> Kharkov, [email protected] >> >> > > > -- > Vladimir Kozhukalov > > > > -- > Best regards, > Bogdan Dobrelya, > Researcher TechLead, Mirantis, Inc.+38 (066) 051 07 53 > Skype bogdando_at_yahoo.com > 38, Lenina ave. > Kharkov, [email protected] > > > -- > Mailing list: https://launchpad.net/~fuel-dev > Post to : [email protected] > Unsubscribe : https://launchpad.net/~fuel-dev > More help : https://help.launchpad.net/ListHelp > >
-- Mailing list: https://launchpad.net/~fuel-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~fuel-dev More help : https://help.launchpad.net/ListHelp
