Jira (PUP-6482) Puppet logging information leaks
Title: Message Title Moses Mendoza commented on PUP-6482 Re: Puppet logging information leaks Closing this for now as part of triage efforts, but please re-open if any issues arise that are for this epic. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6482) Puppet logging information leaks
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-6482 Puppet logging information leaks Change By: Moses Mendoza Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6482) Puppet logging information leaks
Title: Message Title Adrien Thebo commented on PUP-6482 Re: Puppet logging information leaks Brian Conner thanks for this information! This ticket is an epic to collect individual stories/tickets where Puppet might inappropriately emit debug or error messages, so the actual work for this ticket will be collected in tickets as part of this epic. I'm going to break out your comment in a separate issue to track this. In addition we're going to be implementing part of PUP-1974 as part of PUP-6433; it'll take a while to fully plumb through sensitive data type support but we're working towards this end goal. Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6482) Puppet logging information leaks
Title: Message Title Brian Conner commented on PUP-6482 Re: Puppet logging information leaks If an exec is run as an inline sh script with an eyaml'd password variable, the password will get logged in plaintext on the console and agent if it fails. loglevel and logoutput don't do anything in this situation, as it's the command that's being displayed, not the output of the command. It was suggested to make the command into a script and run it that way, but that presents putting the password plaintext in the script, not a viable long-term solution. Having the exec's inline sh script executed in this manner presents another issue. The same data is present in the cached catalog on agents in /opt/puppetlabs/puppet/cache/client_data/catalog/*.json. I imagine this issue is caught somewhere in https://tickets.puppetlabs.com/browse/PUP-1974. Just an idea to branch off of the "sensitive" resource type mentioned in PUP-1974: Most passwords and sensitve data will be coming from an eyaml'd variable(at least, in our scenario). If there were a setting in puppet.conf that would mark all eyaml data as "sensitive", hashing or masking it in logs and cached catalogs, that might take care of the lion's share of sensitive information leaks. This would be in addition to being able "to give manifest/module authors the ability to specify resource properties (such as attributes or titles) which are sensitive". Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6482) Puppet logging information leaks
Title: Message Title Adrien Thebo created an issue Puppet / PUP-6482 Puppet logging information leaks Issue Type: Epic Assignee: Unassigned Created: 2016/07/08 1:39 PM Priority: Normal Reporter: Adrien Thebo This epic discusses this various places where Puppet may leak sensitive information when logging informational and error messages. This contrasts against PUP-6433 that deals with the high volume of sensitive information being leaked by the Transaction and ResourceHarness. Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9)
