diff --git a/SOURCES/sos-RHEL-13701-aap-passwords.patch b/SOURCES/sos-RHEL-13701-aap-passwords.patch new file mode 100644 index 0000000..7d3caa0 --- /dev/null +++ b/SOURCES/sos-RHEL-13701-aap-passwords.patch @@ -0,0 +1,98 @@ +From c6ab24eb8e2bf02c75d0ffa8447032543eb4ea43 Mon Sep 17 00:00:00 2001 +From: "Dr. Jason Breitweg" +Date: Tue, 10 Oct 2023 09:50:29 +0200 +Subject: [PATCH] Fix dynaconf obfuscation and add AUTH_LDAP_BIND_PASSWORD + +Signed-off-by: Dr. Jason Breitweg + +Fixed style issues +Signed-off-by: Jason Breitweg jbreitwe@redhat.com + +Signed-off-by: Dr. Jason Breitweg + +Fixed yet more linting errors +Signed-off-by: Jason Breitweg jbreitwe@redhat.com + +Signed-off-by: Dr. Jason Breitweg +--- + sos/report/plugins/pulp.py | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sos/report/plugins/pulp.py b/sos/report/plugins/pulp.py +index df007168a..f5c762f48 100644 +--- a/sos/report/plugins/pulp.py ++++ b/sos/report/plugins/pulp.py +@@ -170,10 +170,13 @@ def postproc(self): + repl = r"\1********" + self.do_path_regex_sub("/etc/pulp(.*)(.json$)", jreg, repl) + +- # obfuscate SECRET_KEY = .. and 'PASSWORD': .. in dynaconf list output +- # and also in settings.py ++ # obfuscate SECRET_KEY = .., 'PASSWORD': .., ++ # and AUTH_LDAP_BIND_PASSWORD = .. ++ # in dynaconf list output and also in settings.py + # count with option that PASSWORD is with(out) quotes or in capitals +- key_pass_re = r"(SECRET_KEY\s*=|(password|PASSWORD)(\"|'|:)+)\s*(\S*)" ++ key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \ ++ r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \ ++ r"(\"|'|:)+)\s*(\S*)" + repl = r"\1 ********" + self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl) + self.do_cmd_output_sub("dynaconf list", key_pass_re, repl) +From 866abe6119e846e243d586b1e353a6585ed83899 Mon Sep 17 00:00:00 2001 +From: Pavel Moravec +Date: Wed, 18 Oct 2023 13:38:29 +0200 +Subject: [PATCH] [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value + +Likewise in #3379, scrub the password also in pulpcore plugin. + +Resolves: #3389 + +Signed-off-by: Pavel Moravec +--- + sos/report/plugins/pulpcore.py | 27 ++++++++------------------- + 1 file changed, 8 insertions(+), 19 deletions(-) + +diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py +index 04efae9f8..649626ada 100644 +--- a/sos/report/plugins/pulpcore.py ++++ b/sos/report/plugins/pulpcore.py +@@ -144,29 +144,18 @@ def build_query_cmd(self, query, csv=False): + return _dbcmd % (self.dbhost, self.dbport, self.dbname, quote(query)) + + def postproc(self): +- # TODO obfuscate from /etc/pulp/settings.py : ++ # obfuscate from /etc/pulp/settings.py and "dynaconf list": + # SECRET_KEY = "eKfeDkTnvss7p5WFqYdGPWxXfHnsbDBx" + # 'PASSWORD': 'tGrag2DmtLqKLTWTQ6U68f6MAhbqZVQj', ++ # AUTH_LDAP_BIND_PASSWORD = 'ouch-a-secret' + # the PASSWORD can be also in an one-liner list, so detect its value + # in non-greedy manner till first ',' or '}' +- self.do_path_regex_sub( +- "/etc/pulp/settings.py", +- r"(SECRET_KEY\s*=\s*)(.*)", +- r"\1********") +- self.do_path_regex_sub( +- "/etc/pulp/settings.py", +- r"(PASSWORD\S*\s*:\s*)(.*?)(,|\})", +- r"\1********\3") +- # apply the same for "dynaconf list" output that prints settings.py +- # in a pythonic format +- self.do_cmd_output_sub( +- "dynaconf list", +- r"(SECRET_KEY\s*)'(.*)'", +- r"\1********") +- self.do_cmd_output_sub( +- "dynaconf list", +- r"(PASSWORD\S*\s*:\s*)(.*)", +- r"\1********") ++ key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \ ++ r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \ ++ r"(\"|'|:)+)\s*(\S*)" ++ repl = r"\1 ********" ++ self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl) ++ self.do_cmd_output_sub("dynaconf list", key_pass_re, repl) + + + # vim: set et ts=4 sw=4 : + diff --git a/SOURCES/sos-SUPDEV148-microshift-greenboot.patch b/SOURCES/sos-SUPDEV148-microshift-greenboot.patch new file mode 100644 index 0000000..9a91ff4 --- /dev/null +++ b/SOURCES/sos-SUPDEV148-microshift-greenboot.patch @@ -0,0 +1,108 @@ +From 6526985ea2464944c5cf4cd87c2d981a77363077 Mon Sep 17 00:00:00 2001 +From: Pablo Acevedo Montserrat +Date: Tue, 12 Sep 2023 10:24:38 +0200 +Subject: [PATCH] [microshift] Add microshift-etcd.scope service + +Signed-off-by: Pablo Acevedo Montserrat +--- + sos/report/plugins/microshift.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sos/report/plugins/microshift.py b/sos/report/plugins/microshift.py +index 1b932d648..2cfafef04 100644 +--- a/sos/report/plugins/microshift.py ++++ b/sos/report/plugins/microshift.py +@@ -28,7 +28,7 @@ class Microshift(Plugin, RedHatPlugin): + plugin_timeout = 900 + packages = ('microshift', 'microshift-selinux', 'microshift-networking', + 'microshift-greenboot') +- services = (plugin_name, 'greenboot-healthcheck', ++ services = (plugin_name, 'microshift-etcd.scope', 'greenboot-healthcheck', + 'greenboot-task-runner', 'redboot-task-runner') + profiles = (plugin_name,) + localhost_kubeconfig = '/var/lib/microshift/resources/kubeadmin/kubeconfig' +From 765ac8f3cc8e8413278afbf2579eaac7c0419f72 Mon Sep 17 00:00:00 2001 +From: Evgeny Slutsky +Date: Thu, 7 Sep 2023 10:54:12 +0300 +Subject: [PATCH] [greenboot] seperate logs to a standalone plugin. + +Signed-off-by: Evgeny Slutsky +--- + sos/report/plugins/greenboot.py | 26 ++++++++++++++++++++++++++ + sos/report/plugins/microshift.py | 6 ++---- + 2 files changed, 28 insertions(+), 4 deletions(-) + create mode 100644 sos/report/plugins/greenboot.py + +diff --git a/sos/report/plugins/greenboot.py b/sos/report/plugins/greenboot.py +new file mode 100644 +index 000000000..69b6607b0 +--- /dev/null ++++ b/sos/report/plugins/greenboot.py +@@ -0,0 +1,26 @@ ++# Copyright 2023 Red Hat, Inc. Evgeny Slutsky ++# This file is part of the sos project: https://github.com/sosreport/sos ++# ++# This copyrighted material is made available to anyone wishing to use, ++# modify, copy, or redistribute it subject to the terms and conditions of ++# version 2 of the GNU General Public License. ++# ++# See the LICENSE file in the source distribution for further information. ++ ++from sos.report.plugins import Plugin, RedHatPlugin ++ ++ ++class Greenboot(Plugin, RedHatPlugin): ++ """The greenboot plugin collects systemd service logs and configuration. ++ """ ++ ++ short_desc = 'Greenboot' ++ plugin_name = 'greenboot' ++ services = (plugin_name, 'greenboot-healthcheck', ++ 'greenboot-task-runner', 'redboot-task-runner',) ++ profiles = ('system',) ++ ++ def setup(self): ++ self.add_copy_spec([ ++ "/etc/greenboot/greenboot.conf", ++ ]) +diff --git a/sos/report/plugins/microshift.py b/sos/report/plugins/microshift.py +index 2cfafef04..669f4c021 100644 +--- a/sos/report/plugins/microshift.py ++++ b/sos/report/plugins/microshift.py +@@ -26,10 +26,8 @@ class Microshift(Plugin, RedHatPlugin): + short_desc = 'Microshift' + plugin_name = 'microshift' + plugin_timeout = 900 +- packages = ('microshift', 'microshift-selinux', 'microshift-networking', +- 'microshift-greenboot') +- services = (plugin_name, 'microshift-etcd.scope', 'greenboot-healthcheck', +- 'greenboot-task-runner', 'redboot-task-runner') ++ packages = ('microshift', 'microshift-selinux', 'microshift-networking',) ++ services = (plugin_name, 'microshift-etcd.scope',) + profiles = (plugin_name,) + localhost_kubeconfig = '/var/lib/microshift/resources/kubeadmin/kubeconfig' + +From 0b72a1f07a5f46e22cb926d129bd8eb63ba20a9a Mon Sep 17 00:00:00 2001 +From: Pablo Acevedo Montserrat +Date: Tue, 19 Sep 2023 12:18:42 +0200 +Subject: [PATCH] [microshift] Add /etc/microshift file copy spec + +Signed-off-by: Pablo Acevedo Montserrat +--- + sos/report/plugins/microshift.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sos/report/plugins/microshift.py b/sos/report/plugins/microshift.py +index 669f4c021..8fe39ab29 100644 +--- a/sos/report/plugins/microshift.py ++++ b/sos/report/plugins/microshift.py +@@ -146,6 +146,9 @@ def setup(self): + Output format for this function is based on `oc adm inspect` command, + which is used to retrieve all API resources from the cluster. + """ ++ ++ self.add_copy_spec('/etc/microshift') ++ + if self.path_exists('/var/lib/microshift-backups'): + self.add_copy_spec(['/var/lib/microshift-backups/*/version', + '/var/lib/microshift-backups/*.json']) diff --git a/SPECS/sos.spec b/SPECS/sos.spec index eb47e3d..e547a5a 100644 --- a/SPECS/sos.spec +++ b/SPECS/sos.spec @@ -5,7 +5,7 @@ Summary: A set of tools to gather troubleshooting information from a system Name: sos Version: 4.6.0 -Release: 2%{?dist}.inferit +Release: 5%{?dist}.inferit Group: Applications/System Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz Source1: sos-audit-%{auditversion}.tgz @@ -23,6 +23,9 @@ Recommends: python3-pyyaml Conflicts: vdsm < 4.40 Obsoletes: sos-collector <= 1.9 Patch1: sos-SUPDEV145-ovnkube-logs.patch +Patch2: sos-SUPDEV148-microshift-greenboot.patch +Patch3: sos-RHEL-13701-aap-passwords.patch + # MSVSphere patches Patch1001: 0001-Add-MSVSphere-policy-implementation.patch @@ -36,6 +39,8 @@ support technicians and developers. %setup -qn %{name}-%{version} %setup -T -D -a1 -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch1001 -p1 %build @@ -109,6 +114,18 @@ of the system. Currently storage and filesystem commands are audited. %changelog +* Wed Oct 18 2023 Pavel Moravec = 4.6.0-5.inferit + [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value + Resolves: RHEL-13701 + +* Tue Oct 17 2023 Pavel Moravec = 4.6.0-4 +- [pulp] Fix dynaconf obfuscation and add AUTH_LDAP_BIND_PASSWORD + Resolves: RHEL-13701 + +* Thu Oct 12 2023 Pavel Moravec = 4.6.0-3 +- [greenboot] seperate logs to a standalone plugin; enhance [microshift] + Resolves: SUPDEV148 + * Wed Sep 13 2023 Arkady L. Shane - 4.6.0-2.inferit - Change urls from msvsphere.ru to msvsphere-os.ru