Logging of Sensitive Data
- Query id: c6473dae-8477-4119-88b7-b909b435ce7b
- Query name: Logging of Sensitive Data
- Platform: Ansible
- Severity: Low
- Category: Best Practices
- CWE: 532
- URL: Github
Description¶
To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - cfg file
[defaults]
action_warnings=True
cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
cow_selection=default
force_color=False
nocolor=False
nocows=False
any_errors_fatal=False
become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
fact_caching=memory
fact_caching_prefix=ansible_facts
fact_caching_timeout=86400
collections_on_ansible_version_mismatch=warning
collections_path=~/.ansible/collections:/usr/share/ansible/collections
collections_scan_sys_path=True
command_warnings=False
action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
allow_unsafe_lookups=False
ask_pass=False
ask_vault_pass=False
cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache
callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback
cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf
connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection
debug=False
executable=/bin/sh
filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter
force_handlers=False
forks=5
gathering=implicit
gather_subset=all
lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup
ansible_managed=Ansible managed
module_compression=ZIP_DEFLATED
module_name=command
library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf
Positive test num. 2 - cfg file
[defaults]
action_warnings=True
cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
cow_selection=default
force_color=False
nocolor=False
nocows=False
any_errors_fatal=False
become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
fact_caching=memory
fact_caching_prefix=ansible_facts
fact_caching_timeout=86400
collections_on_ansible_version_mismatch=warning
collections_path=~/.ansible/collections:/usr/share/ansible/collections
collections_scan_sys_path=True
command_warnings=False
action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
allow_unsafe_lookups=False
ask_pass=False
ask_vault_pass=False
cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache
callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback
cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf
connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection
debug=False
executable=/bin/sh
filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter
force_handlers=False
forks=5
gathering=implicit
gather_subset=all
lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup
ansible_managed=Ansible managed
module_compression=ZIP_DEFLATED
module_name=command
library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf
no_log=False
Code samples without security vulnerabilities¶
Negative test num. 1 - cfg file
[defaults]
action_warnings=True
cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
cow_selection=default
force_color=False
nocolor=False
nocows=False
any_errors_fatal=False
become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
fact_caching=memory
fact_caching_prefix=ansible_facts
fact_caching_timeout=86400
collections_on_ansible_version_mismatch=warning
collections_path=~/.ansible/collections:/usr/share/ansible/collections
collections_scan_sys_path=True
command_warnings=False
action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action
allow_unsafe_lookups=False
ask_pass=False
ask_vault_pass=False
cache_plugins=~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache
callback_plugins=~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback
cliconf_plugins=~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf
connection_plugins=~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection
debug=False
executable=/bin/sh
filter_plugins=~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter
force_handlers=False
forks=5
gathering=implicit
gather_subset=all
lookup_plugins=~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup
ansible_managed=Ansible managed
module_compression=ZIP_DEFLATED
module_name=command
library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
module_utils=~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
netconf_plugins=~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf
no_log=True