Ansible logs sensitive information

[davidemyers]

Running Algo on Ubuntu leaves sensitive information in the system logs, including complete WireGuard configs and the IPsec CA password. Log messages like those below appear in /var/log/syslog and journalctl, where they can be read by root or anyone in the adm group.

I've found ansible-command log entries on my Ubuntu 18.04 system as far back as 2018-05-06, so this is not new, I just never noticed it before. These examples are from Ubuntu 19.10.

Oct 14 08:01:05 eoan ansible-command[5813]: Invoked with chdir=configs/68.183.56.58/wireguard/ executable=bash _raw_params=umask 077; which segno && segno --scale=5 --output=phone.png  "[Interface]
                                            PrivateKey = OFSh2JXN9EKP8TP3ysoLapv9fkdb78Og7tw1dS/FS38=
                                            Address = 10.19.49.2/24 ,fd9d:bc11:4021::2/48
                                            DNS =  172.19.208.207, fd00::3:d0cf

                                            [Peer]
                                            PublicKey = dv1og4yn7XoIIrOGIY0iWXlTnO1YxpEEibTXVWyf5BI=
                                            PresharedKey = gk+jBYmyYEMtwCfK1kMJ/8x1yli9t6P+B1/bL6BV37Q=
                                            AllowedIPs = 0.0.0.0/0,::/0
                                            Endpoint = 68.183.56.58:51820
                                            " || true
                                             _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None creates=None removes=None stdin=None

Oct 14 08:06:17 eoan ansible-command[6849]: Invoked with chdir=configs/68.183.56.58/ipsec//.pki/ creates=certs/68.183.56
.58_crt_generated executable=bash _raw_params=umask 077; openssl req -utf8 -new -newkey ec:ecparams/secp384r1.pem -confi
g <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=IP:68.183.56.58,IP:2604:a880:800:c1::25e:e001")) -keyout priv
ate/68.183.56.58.key -out reqs/68.183.56.58.req -nodes -passin pass:"Kjyz5VKGHrjRbK_P" -subj "/CN=68.183.56.58" -batch &
& openssl ca -utf8 -in reqs/68.183.56.58.req -out certs/68.183.56.58.crt -config <(cat openssl.cnf <(printf "[basic_exts
]\nsubjectAltName=IP:68.183.56.58,IP:2604:a880:800:c1::25e:e001")) -days 3650 -batch -passin pass:"Kjyz5VKGHrjRbK_P" -su
bj "/CN=68.183.56.58" && touch certs/68.183.56.58_crt_generated
                                             _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True arg
v=None removes=None stdin=None

[TC1977]

How are you finding these messages? journalctl -u ansible-command?

[davidemyers]

I ran journalctl | less and searched for the messages with /ansible-command, though it's not necessary to pipe to a pager since journalctl will do that by default, but may not wrap the output by default.

[TC1977]

Ok, journalctl|grep "ansible-command" run on my Algo server also gives me the CA password and the complete Wireguard configs. It was a local server, so the "control machine" and "managed machines" are the same.

Is this necessarily a problem? I always thought that if someone can SSH into your Algo server, you're already totally screwed.

[davidemyers]

The logging is done on the system where you run Algo, which might be a shared system. Since a lot of work was recently done to avoid writing the intermediate PKI files to disk I though this issue was worth pointing out.

[TC1977]

Perhaps this old serverfault issue, which has been recently updated might be helpful in correcting this, although each solution gets progressively farther and farther beyond my understanding.

[jackivanov]

OK, as a workaround we should put no_log: true to all sensitive tasks