From 07bb49d3c6006663bf5249f9c2137424f263d143 Mon Sep 17 00:00:00 2001 From: "Bryn M. Reeves" Date: Fri, 18 Jul 2014 12:49:52 +0100 Subject: [PATCH 1/4] [ds] exclude paths containing directory server secrets Signed-off-by: Bryn M. Reeves Conflicts: sos/plugins/ds.py --- sos/plugins/ds.py | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/sos/plugins/ds.py b/sos/plugins/ds.py index 49ec7e8..1fcce7b 100644 --- a/sos/plugins/ds.py +++ b/sos/plugins/ds.py @@ -1,4 +1,5 @@ ## Copyright (C) 2007 Red Hat, Inc., Kent Lamb +## Copyright (C) 2014 Red Hat, Inc., Bryn M. Reeves ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by @@ -40,11 +41,25 @@ class ds(sos.plugintools.PluginBase): return False def setup(self): + self.add_forbidden_path("/etc/dirsrv/slapd*/pin.txt") + self.add_forbidden_path("/etc/dirsrv/slapd*/key3.db") + self.add_forbidden_path("/etc/dirsrv/slapd*/pwfile.txt") + self.add_forbidden_path("/etc/dirsrv/slapd*/*passw*") + self.add_forbidden_path("/etc/dirsrv/admin-serv/key3.db") + self.add_forbidden_path("/etc/dirsrv/admin-serv/admpw") + self.add_forbidden_path("/etc/dirsrv/admin-serv/password.conf") if not self.check_version(): self.addAlert("Directory Server not found.") elif "ds8" in self.check_version(): - self.addCopySpec("/etc/dirsrv/slapd*") - self.addCopySpec("/var/log/dirsrv/*") + self.addCopySpecs([ + "/etc/dirsrv/slapd*/cert8.db", + "/etc/dirsrv/slapd*/certmap.conf", + "/etc/dirsrv/slapd*/dse.ldif", + "/etc/dirsrv/slapd*/dse.ldif.startOK", + "/etc/dirsrv/slapd*/secmod.db", + "/etc/dirsrv/slapd*/schema/*.ldif", + "/var/log/dirsrv/*" + ]) elif "ds7" in self.check_version(): self.addCopySpec("/opt/redhat-ds/slapd-*/config") self.addCopySpec("/opt/redhat-ds/slapd-*/logs") -- 1.9.3 From a4ad26f2f768660a15e86d6face3de483c8f0d8d Mon Sep 17 00:00:00 2001 From: "Bryn M. Reeves" Date: Fri, 18 Jul 2014 20:12:51 +0100 Subject: [PATCH 2/4] [ds] add 'certutil -L' collection for slapd instances Signed-off-by: Bryn M. Reeves --- sos/plugins/ds.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sos/plugins/ds.py b/sos/plugins/ds.py --- a/sos/plugins/ds.py +++ b/sos/plugins/ds.py @@ -48,6 +48,14 @@ class ds(sos.plugintools.PluginBase): self.add_forbidden_path("/etc/dirsrv/admin-serv/key3.db") self.add_forbidden_path("/etc/dirsrv/admin-serv/admpw") self.add_forbidden_path("/etc/dirsrv/admin-serv/password.conf") + try: + for d in os.listdir("/etc/dirsrv"): + if d[0:5] == 'slapd': + certpath = os.path.join("/etc/dirsrv", d) + self.collectExtOutput("certutil -L -d %s" % certpath) + except: + self.soslog.warn("could not list /etc/dirsrv") + if not self.check_version(): self.addAlert("Directory Server not found.") elif "ds8" in self.check_version(): -- 1.9.3 From b5ec0407a8d4e5c04e23995803142d4fb4c07233 Mon Sep 17 00:00:00 2001 From: "Bryn M. Reeves" Date: Mon, 28 Jul 2014 17:24:55 +0100 Subject: [PATCH 3/4] [backport][ldap] add more forbidden paths and restrict file collection commit 462c830fa661e308a52067fc8290b31e45be67c3 Author: Bryn M. Reeves Date: Fri Jul 18 19:05:12 2014 +0100 [ldap] add more forbidden paths and restrict file collection Signed-off-by: Bryn M. Reeves --- sos/plugins/ldap.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sos/plugins/ldap.py b/sos/plugins/ldap.py index 4a41a83..ee2b964 100644 --- a/sos/plugins/ldap.py +++ b/sos/plugins/ldap.py @@ -41,9 +41,16 @@ class ldap(sos.plugintools.PluginBase): self.addDiagnose("%s does not exist and can cause connection issues involving TLS" % ldapopts["TLS_CACERTDIR"]) def setup(self): + self.addForbiddenPath("/etc/openldap/certs/password") + self.addForbiddenPath("/etc/openldap/certs/pwfile.txt") + self.addForbiddenPath("/etc/openldap/certs/pin.txt") + self.addForbiddenPath("/etc/openldap/certs/*passw*") + self.addForbiddenPath("/etc/openldap/certs/key3.db") self.addCopySpec("/etc/ldap.conf") + self.addCopySpec("/etc/openldap/ldap.conf") + self.addCopySpec("/etc/openldap/cert8.db") + self.addCopySpec("/etc/openldap/secmod.db") self.addCopySpec("/etc/nslcd.conf") - self.addCopySpec("/etc/openldap") self.addCopySpec("/etc/pam_ldap.conf") def postproc(self): -- 1.9.3 From a57f933bc5c93e549f834763219f43cdd7d13c65 Mon Sep 17 00:00:00 2001 From: "Bryn M. Reeves" Date: Mon, 28 Jul 2014 17:26:10 +0100 Subject: [PATCH 4/4] [backport] [ldap] add output of 'certutil -L' commit 9a4a594b950478c8ab375967206bd08a7baf2739 Author: Bryn M. Reeves Date: Fri Jul 18 19:07:02 2014 +0100 [ldap] add output of 'certutil -L' Signed-off-by: Bryn M. Reeves --- sos/plugins/ldap.py | 1 + 1 file changed, 1 insertion(+) diff --git a/sos/plugins/ldap.py b/sos/plugins/ldap.py --- a/sos/plugins/ldap.py +++ b/sos/plugins/ldap.py @@ -52,6 +52,7 @@ class ldap(sos.plugintools.PluginBase): self.addCopySpec("/etc/openldap/secmod.db") self.addCopySpec("/etc/nslcd.conf") self.addCopySpec("/etc/pam_ldap.conf") + self.collectExtOutput("certutil -L -d /etc/openldap") def postproc(self): self.doRegexSub("/etc/ldap.conf", r"(\s*bindpw\s*)\S+", r"\1********") -- 1.9.3