search

quarkslab / irma

IRMA is an asynchronous & customizable analysis system for suspicious files.
https://irma.quarkslab.com
Apache License 2.0
268 stars 55 forks source link

Instance of hardcoded secret #60

Closed rayhanur-rahman closed 5 years ago

rayhanur-rahman commented 5 years ago

Greetings,

I am a security researcher, who is looking for security smells in Ansible scripts. I found instances where usernames and passwords are specified within a Ansible script. According to the Common Weakness Enumeration organization this is a security weakness (CWE-798: Hard-coded credentials https://cwe.mitre.org/data/definitions/798.html).

I am trying to find out if you agree with the findings and the reasons the usernames and passwords were introduced. Any feedback is appreciated.

Any feedback is appreciated.

Source: https://github.com/quarkslab/irma/blob/master/ansible/playbooks/group_vars/all.yml

ch0k0bn commented 5 years ago

These are default values that should be overloaded by user environment and given as an example. I agree that it could be in an ansible vault or something dedicated to secret storage.