Algo: Ansible logs sensitive information

Created on 15 Oct 2019  路  6Comments  路  Source: trailofbits/algo

Running Algo on Ubuntu leaves sensitive information in the system logs, including complete WireGuard configs and the IPsec CA password. Log messages like those below appear in /var/log/syslog and journalctl, where they can be read by root or anyone in the adm group.

I've found ansible-command log entries on my Ubuntu 18.04 system as far back as 2018-05-06, so this is not new, I just never noticed it before. These examples are from Ubuntu 19.10.

Oct 14 08:01:05 eoan ansible-command[5813]: Invoked with chdir=configs/68.183.56.58/wireguard/ executable=bash _raw_params=umask 077; which segno && segno --scale=5 --output=phone.png  "[Interface]
                                            PrivateKey = OFSh2JXN9EKP8TP3ysoLapv9fkdb78Og7tw1dS/FS38=
                                            Address = 10.19.49.2/24 ,fd9d:bc11:4021::2/48
                                            DNS =  172.19.208.207, fd00::3:d0cf

                                            [Peer]
                                            PublicKey = dv1og4yn7XoIIrOGIY0iWXlTnO1YxpEEibTXVWyf5BI=
                                            PresharedKey = gk+jBYmyYEMtwCfK1kMJ/8x1yli9t6P+B1/bL6BV37Q=
                                            AllowedIPs = 0.0.0.0/0,::/0
                                            Endpoint = 68.183.56.58:51820
                                            " || true
                                             _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None creates=None removes=None stdin=None
Oct 14 08:06:17 eoan ansible-command[6849]: Invoked with chdir=configs/68.183.56.58/ipsec//.pki/ creates=certs/68.183.56
.58_crt_generated executable=bash _raw_params=umask 077; openssl req -utf8 -new -newkey ec:ecparams/secp384r1.pem -confi
g <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=IP:68.183.56.58,IP:2604:a880:800:c1::25e:e001")) -keyout priv
ate/68.183.56.58.key -out reqs/68.183.56.58.req -nodes -passin pass:"Kjyz5VKGHrjRbK_P" -subj "/CN=68.183.56.58" -batch &
& openssl ca -utf8 -in reqs/68.183.56.58.req -out certs/68.183.56.58.crt -config <(cat openssl.cnf <(printf "[basic_exts
]\nsubjectAltName=IP:68.183.56.58,IP:2604:a880:800:c1::25e:e001")) -days 3650 -batch -passin pass:"Kjyz5VKGHrjRbK_P" -su
bj "/CN=68.183.56.58" && touch certs/68.183.56.58_crt_generated
                                             _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True arg
v=None removes=None stdin=None
bug

All 6 comments

How are you finding these messages? journalctl -u ansible-command?

I ran journalctl | less and searched for the messages with /ansible-command, though it's not necessary to pipe to a pager since journalctl will do that by default, but may not wrap the output by default.

Ok, journalctl|grep "ansible-command" run on my Algo server also gives me the CA password and the complete Wireguard configs. It was a local server, so the "control machine" and "managed machines" are the same.

Is this necessarily a problem? I always thought that if someone can SSH into your Algo server, you're already totally screwed.

The logging is done on the system where you run Algo, which might be a shared system. Since a lot of work was recently done to avoid writing the intermediate PKI files to disk I though this issue was worth pointing out.

Perhaps this old serverfault issue, which has been recently updated might be helpful in correcting this, although each solution gets progressively farther and farther beyond my understanding.

OK, as a workaround we should put no_log: true to all sensitive tasks

Was this page helpful?
0 / 5 - 0 ratings

Related issues

xhdix picture xhdix  路  3Comments

andreimc picture andreimc  路  3Comments

samkelleher picture samkelleher  路  3Comments

RonCan picture RonCan  路  3Comments

baimafeima picture baimafeima  路  5Comments