weixin_39572288
weixin_39572288
2020-12-01 14:15

Splunk standalone log error contains cleartext password

Trying to launch Splunk standalone in docker-compose displays the following error:

splunk_1 | fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["/opt/splunk/bin/splunk", "add", "licenses", "-auth", "admin:password"], "delta": "0:00:00.534752", "end": "2018-10-09 22:41:56.171553", "msg": "non-zero return code", "rc": 4, "start": "2018-10-09 22:41:55.636801", "stderr": "", "stderr_lines": [], "stdout": "missing PATH-TO-LICENSE-FILE argument: ./splunk add license [PATH-TO-FILE] ", "stdout_lines": ["missing PATH-TO-LICENSE-FILE argument: ./splunk add license [PATH-TO-FILE] "]}

Note that the line contains the arguments to the splunk command, including the auth statements (changed default password to 'password' here as a test).

First, I'm not sure why this part of the ansible script should even be executing if no license server or URL has been specified. Second, I don't think passwords should ever be printed in cleartext (I know it's being set via an environment variable, but those are only accessible to individuals with host access. The log output could be sent to an insecure monitoring setup, or to splunk itself).

该提问来源于开源项目:splunk/docker-splunk

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

5条回答

  • weixin_39964528 weixin_39964528 5月前

    Hi. First, executing the license task without license url has been fixed and the change was merged a couple days ago. Second, it is an Ansible behavior to print out the command (which contains password in cleartext) when the task failed.

    Possible solution that comes to my mind: wrap how we run the ansible playbook within a script so that we can capture the Ansible output before it makes to stdout and filter those password. So not run Ansible in the entrypoint. What do you guys think?

    点赞 评论 复制链接分享
  • weixin_39883462 weixin_39883462 5月前

    We should probably use

     no_log: True

    for that task, and other ones that could possibly log the credentials.

    点赞 评论 复制链接分享
  • weixin_39964528 weixin_39964528 5月前

    Should we apply no_log for all tasks that uses Splunk password?

    点赞 评论 复制链接分享
  • weixin_39883462 weixin_39883462 5月前

    Yeah. We should probably also provide documentation on using debug flags too, so they can see the log contents when necessary.

    点赞 评论 复制链接分享
  • weixin_39964528 weixin_39964528 5月前

    HIDE_PASSWORD=true as an environment variable should hide all cleartext passwords in Ansible log.

    点赞 评论 复制链接分享

相关推荐