Filtering passwords from Ansible reports in Foreman?

Hi everyone,
we were having a discussion whether it makes sense to implement a password filter for Ansible commands running via remote execution. In the end, you can see all reports as plain text in Foreman. We came to the conclusion that it is a security glitch, but it would be hard to capture all kind of passwords from arbitrary Ansible code.

Any opinions on adding a feature that would try to filter passwords either as Ansible callback plugin or as filter for reports?

Thanks everyone :slight_smile:

Ansible has a no_log parameter, which you should set when you want things not to be logged (like passwords). And then I would expect every logger/callback to honour this.

Or is this set, and you still get passwords in the logs?

1 Like

I guess no_log solves the problem by (as the name suggests) providing no log for the relevant task whatsoever. I think what we built was a callback plugin that tried to filter out just the things it identified as passwords, replacing them with ****** or something.

Of course there probably is no inherently reliable way of identifying passwords in a bunch of string output.

Ansible modules mark some params as no_log, and you can mark whole tasks as no_log.

I don’t see Foreman being in the position to guess what is a password or what not.

1 Like

I think that there is chance of capturing passwords if you run specific roles on a system. But as you can use remote execution to run arbitrary code, this becomes impossible.

Are you saying that if you have a role testrole, and pass (secret) variables to it from foreman those leak?

I am saying that you need to be careful about your Ansible role design if you do not want any passwords to leak accidentally.