Passwords visible in infrastructure logs


Momchil Atanassov
 

Hi,

We are using the `syslog_deamon_config` proprty to stream all of our CF infrastructure logs to an external stack for later processing.

We have noticed that operations like `cf create-user-provided-service`, `cf bind-service`, and others are logged by multiple components in CF. That would normally not be a problem, except that these commands often involve passwords and those passwords get logged as well, ending up in the log files on the VM and the target log processing stack, which allows operators of the system to view end-user passwords.

We have noticed that the following jobs are responsible for the logs:

* api
* runner
* nats

Increasing the log level from the default `debug` / `debug2` to `info` solves the problem for the first two, at the cost of making troubleshooting tasks more difficult on the system.
The last one can only be solved by removing the `nats_stream_forwarder` component from the `nats` job, again making troubleshooting more difficult.

I believe the ideal solution is to have those components not log the payload of commands holding confidential information. Maybe they could replace it with some pattern.
This would help for the first two but might not help for nats, where some other means would be needed (encryption of the private content?).

How are you solving this issue on your productive system? What are your thoughts on this matter?

Thanks in advance!

Regards,
Momchil Atanassov

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.