Logging of Sensitive Data
- Query id: 59029ddf-e651-412b-ae7b-ff6d403184bc
- Query name: Logging of Sensitive Data
- Platform: Ansible
- Severity: Low
- Category: Best Practices
- CWE: 532
- URL: Github
Description¶
To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: Positive Playbook
hosts: localhost
tasks:
- name: bar
ansible.builtin.user:
name: john_doe
comment: John Doe
uid: 1040
group: admin
password: "{{ item }}"
with_items:
- wow
no_log: false
Positive test num. 2 - yaml file
---
- name: Positive Playbook
hosts: localhost
tasks:
- name: bar
ansible.builtin.user:
name: john_doe
comment: John Doe
uid: 1040
group: admin
password: "{{ item }}"
with_items:
- wow
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
---
- name: Negative playbook
hosts: localhost
tasks:
- name: foo
ansible.builtin.user:
name: john_doe
comment: John Doe
uid: 1040
group: admin
password: "{{ item }}"
with_items:
- wow
no_log: true
---
- name: Negative Playbook 2
hosts: localhost
tasks:
- name: bar
ansible.builtin.user:
name: john_doe
comment: John Doe
uid: 1040
group: admin
with_items:
- wow
no_log: false
---
- name: Negative Playbook 3
hosts: localhost
tasks:
- name: bar
ansible.builtin.user:
name: john_doe
comment: John Doe
uid: 1040
group: admin
with_items:
- wow