Logging of Sensitive Data

  • Query id: 59029ddf-e651-412b-ae7b-ff6d403184bc
  • Query name: Logging of Sensitive Data
  • Platform: Ansible
  • Severity: Low
  • Category: Best Practices
  • URL: Github

Description

To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: Positive Playbook
  hosts: localhost
  tasks:
    - name: bar
      ansible.builtin.user:
        name: john_doe
        comment: John Doe
        uid: 1040
        group: admin
        password: "{{ item }}"
      with_items:
        - wow
      no_log: false
Positive test num. 2 - yaml file
---
- name: Positive Playbook
  hosts: localhost
  tasks:
    - name: bar
      ansible.builtin.user:
        name: john_doe
        comment: John Doe
        uid: 1040
        group: admin
        password: "{{ item }}"
      with_items:
        - wow

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
---
- name: Negative playbook
  hosts: localhost
  tasks:
    - name: foo
      ansible.builtin.user:
        name: john_doe
        comment: John Doe
        uid: 1040
        group: admin
        password: "{{ item }}"
      with_items:
        - wow
      no_log: true

---
- name: Negative Playbook 2
  hosts: localhost
  tasks:
    - name: bar
      ansible.builtin.user:
        name: john_doe
        comment: John Doe
        uid: 1040
        group: admin
      with_items:
        - wow
      no_log: false

---
- name: Negative Playbook 3
  hosts: localhost
  tasks:
    - name: bar
      ansible.builtin.user:
        name: john_doe
        comment: John Doe
        uid: 1040
        group: admin
      with_items:
        - wow