Hi everyone,
we were having a discussion whether it makes sense to implement a password filter for Ansible commands running via remote execution. In the end, you can see all reports as plain text in Foreman. We came to the conclusion that it is a security glitch, but it would be hard to capture all kind of passwords from arbitrary Ansible code.
Any opinions on adding a feature that would try to filter passwords either as Ansible callback plugin or as filter for reports?
Ansible has a no_log parameter, which you should set when you want things not to be logged (like passwords). And then I would expect every logger/callback to honour this.
Or is this set, and you still get passwords in the logs?
I guess no_log solves the problem by (as the name suggests) providing no log for the relevant task whatsoever. I think what we built was a callback plugin that tried to filter out just the things it identified as passwords, replacing them with ****** or something.
Of course there probably is no inherently reliable way of identifying passwords in a bunch of string output.
I think that there is chance of capturing passwords if you run specific roles on a system. But as you can use remote execution to run arbitrary code, this becomes impossible.