[Bug 2101134] Re: [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2

Mon, 09 Jun 2025 06:23:55 -0700 

Oracular Verification
=====================

I've verified this by deploying OpenStack Dalmation on Oracular via juju
and running sos report on the various machines

## Check ceph obfuscation

ubuntu@stg-reproducer-bryanfraschetti-project-bastion:~$ juju ssh ceph-
rgw/0

# Before enabling proposed
ubuntu@juju-f7b966-verif-testing-4:~$ sudo sos report
ubuntu@juju-f7b966-verif-testing-4:~$ tar -xf 
/tmp/sosreport-juju-f7b966-verif-testing-4-2025-06-08-nmayyeg.tar.xz
ubuntu@juju-f7b966-verif-testing-4:~$ cat 
sosreport-juju-f7b966-verif-testing-4-2025-06-08-nmayyeg/etc/ceph/ceph.conf
Observed that password (rgw keystone admin password) is present in plaintext

# After enabling proposed
# modified /etc/apt/sources.list.d/ubuntu.sources to contain:
Types: deb
URIs: http://availability-zone-2.clouds.archive.ubuntu.com/ubuntu/
Suites: oracular-proposed
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

ubuntu@juju-f7b966-verif-testing-4:~$ sudo apt update && sudo apt upgrade -y
ubuntu@juju-f7b966-verif-testing-4:~$ sudo sos report
ubuntu@juju-f7b966-verif-testing-4:~$ tar -xf 
/tmp/sosreport-juju-f7b966-verif-testing-4-2025-06-08-bospzvs.tar.xz
ubuntu@juju-f7b966-verif-testing-4:~$ cat 
sosreport-juju-f7b966-verif-testing-4-2025-06-08-bospzvs/etc/ceph/ceph.conf
[global]
... File contents ...
rgw keystone admin user = s3_swift
rgw keystone admin password = *********
rgw keystone api version = 3
rgw keystone admin domain = service_domain
... Continued file contents

Note that rgw keystone admin password is successfully obfuscated

# Check for existence of auth.log, syslog, kern.log, and ubuntu-
advantage.log

ubuntu@juju-f7b966-verif-testing-4:~$ ls -alh 
sosreport-juju-f7b966-verif-testing-4-2025-06-08-bospzvs/var/log/
# Note that I truncated the listing to just those of concern for brevity
total 1.9M
-rw-r----- 1 syslog adm   49K Jun  8 19:57 auth.log
-rw-r----- 1 syslog adm   70K Jun  8 00:25 auth.log.1
-rw-r----- 1 root   adm   50K Jun  8 19:51 dmesg
-rw-r----- 1 syslog adm   75K Jun  8 19:58 kern.log
-rw-r----- 1 syslog adm   78K Jun  7 21:27 kern.log.1
-rw-r----- 1 syslog adm  305K Jun  8 19:58 syslog
-rw-r----- 1 syslog adm  476K Jun  8 00:29 syslog.1
-rw-r----- 1 root   root 4.0K Jun  8 19:58 ubuntu-advantage.log

## Check Horizon obfuscation

ubuntu@stg-reproducer-bryanfraschetti-project-bastion:~$ juju ssh
openstack-dashboard/0

# Before enabling proposed
ubuntu@juju-f7b966-verif-testing-14:~$ sudo sos report
ubuntu@juju-f7b966-verif-testing-14:~$ tar -xf 
/tmp/sosreport-juju-f7b966-verif-testing-14-2025-06-08-thmzzfa.tar.xz
ubuntu@juju-f7b966-verif-testing-14:~$ egrep "PASSWORD|SECRET_KEY" 
sosreport-juju-f7b966-verif-testing-14-2025-06-08-thmzzfa/etc/openstack-dashboard/local_settings.py
Observed that SECRET_KEY, PASSWORD, and EMAIL_HOST_PASSWORD are not obfuscated

# After enabling proposed
# modified /etc/apt/sources.list.d/ubuntu.sources to contain:
Types: deb
URIs: http://availability-zone-1.clouds.archive.ubuntu.com/ubuntu/
Suites: oracular-proposed
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

ubuntu@juju-f7b966-verif-testing-14:~$ sudo apt update && sudo apt upgrade -y
ubuntu@juju-f7b966-verif-testing-14:~$ sudo sos report
ubuntu@juju-f7b966-verif-testing-14:~$ tar -xf 
/tmp/sosreport-juju-f7b966-verif-testing-14-2025-06-08-anfuvdh.tar.xz
ubuntu@juju-f7b966-verif-testing-14:~$ egrep "PASSWORD|SECRET_KEY" 
sosreport-juju-f7b966-verif-testing-14-2025-06-08-anfuvdh/etc/openstack-dashboard/local_settings.py
SECRET_KEY = *********
        'PASSWORD': *********
EMAIL_HOST_PASSWORD = *********

Note that all are now successfully obfuscated

# Check for auth.log, syslog, kern.log, and ubuntu-advantage.log

ubuntu@juju-f7b966-verif-testing-14:~$ ls -alh 
sosreport-juju-f7b966-verif-testing-14-2025-06-08-anfuvdh/var/log/
# Note that I truncated the listing to just those of concern for brevity
total 2.1M
-rw-r----- 1 syslog adm   53K Jun  8 20:05 auth.log
-rw-r----- 1 syslog adm   70K Jun  8 00:05 auth.log.1
-rw-r----- 1 root   adm   50K Jun  8 19:51 dmesg
-rw-r----- 1 syslog adm   75K Jun  8 20:05 kern.log
-rw-r----- 1 syslog adm   79K Jun  7 21:32 kern.log.1
-rw-r----- 1 syslog adm  323K Jun  8 20:05 syslog
-rw-r----- 1 syslog adm  512K Jun  8 00:05 syslog.1
-rw-r----- 1 root   root 4.0K Jun  8 20:05 ubuntu-advantage.log


** Tags removed: verification-needed verification-needed-oracular
** Tags added: verification-done verification-done-oracular

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101134

Title:
  [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-pro/+bug/2101134/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to