https://community.checkpoint.com/t5/API-CLI-Discussion/R80-automation-run-script-potential-leakage-of-credentials/m-p/25392#M1524 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>After messing with the <STRONG>run-script</STRONG> API call for automating several things on R80, I noticed that it&nbsp;does not filter/mask user credentials and other sensitive data sent to it.&nbsp;Everything gets&nbsp;stored in the Recent Tasks&nbsp;log (bottom left corner).</P><P></P><P>Here's an example from provisioning a VS using <STRONG>vsx_provisioning_tool</STRONG>:</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/70107_pastedImage_3.png" /></P><P></P><P>Had to switch to local authentication (-L) to prohibit the user credentials from being exposed and stored.</P><P></P><P>Anyway, I think this should be handled&nbsp;by <STRONG>run-script</STRONG>&nbsp;itself, possibly the Check Point GUI, especially when executing obvious Check Point internal tools. Could be some regex foo or something, replacing the output with "-p xxxxxxx" instead.</P><P></P><P>Have a nice weekend!</P><P></P><P>&nbsp;- Fredrik</P></BODY></HTML> Fri, 07 Sep 2018 13:26:18 GMT Fredrik_Holmber 2018-09-07T13:26:18Z https://community.checkpoint.com/t5/API-CLI-Discussion/R80-automation-run-script-potential-leakage-of-credentials/m-p/25392#M1524 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>After messing with the <STRONG>run-script</STRONG> API call for automating several things on R80, I noticed that it&nbsp;does not filter/mask user credentials and other sensitive data sent to it.&nbsp;Everything gets&nbsp;stored in the Recent Tasks&nbsp;log (bottom left corner).</P><P></P><P>Here's an example from provisioning a VS using <STRONG>vsx_provisioning_tool</STRONG>:</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/70107_pastedImage_3.png" /></P><P></P><P>Had to switch to local authentication (-L) to prohibit the user credentials from being exposed and stored.</P><P></P><P>Anyway, I think this should be handled&nbsp;by <STRONG>run-script</STRONG>&nbsp;itself, possibly the Check Point GUI, especially when executing obvious Check Point internal tools. Could be some regex foo or something, replacing the output with "-p xxxxxxx" instead.</P><P></P><P>Have a nice weekend!</P><P></P><P>&nbsp;- Fredrik</P></BODY></HTML> Fri, 07 Sep 2018 13:26:18 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/R80-automation-run-script-potential-leakage-of-credentials/m-p/25392#M1524 Fredrik_Holmber 2018-09-07T13:26:18Z https://community.checkpoint.com/t5/API-CLI-Discussion/R80-automation-run-script-potential-leakage-of-credentials/m-p/25393#M1525 <HTML><HEAD></HEAD><BODY><P>I can see that being a potentially useful addition.</P><P>Perhaps something to be considered for a later release.</P></BODY></HTML> Sun, 09 Sep 2018 07:59:21 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/R80-automation-run-script-potential-leakage-of-credentials/m-p/25393#M1525 PhoneBoy 2018-09-09T07:59:21Z https://community.checkpoint.com/t5/API-CLI-Discussion/R80-automation-run-script-potential-leakage-of-credentials/m-p/25394#M1526 <HTML><HEAD></HEAD><BODY><P>Thank you for&nbsp;bringing this to our attention!</P><P>We had several RnD meetings to discuss this issue and we're considering&nbsp;changing the run-script command&nbsp;so that sensitive data will not be leaked by mistake.</P><P></P><P>In the meanwhile, you'll be glad to know that <STRONG>there is a way to&nbsp;avoid this issue today (no API change is required)</STRONG>:</P><P>* The run-script API&nbsp;has an "args" parameter.</P><P>* The data in the "args" parameter is passed to the script however the data in the "args" parameter does not appear in the audit logs.</P><P></P><P>For example:</P><PRE>"mgmt_cli run-script script-name 'sample1' <STRONG>script 'my_script.sh -p $1'</STRONG> <STRONG>args 'my secret password'</STRONG> targets r80_20_ga -r true"</PRE><P>The audit log for the above script would show "<STRONG>my_script.sh -p $1" and will not include the secret password.</STRONG></P><P></P><P>We'll update the run-script API documentation to bring it to the attention of other users.</P></BODY></HTML> Thu, 18 Oct 2018 08:57:20 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/R80-automation-run-script-potential-leakage-of-credentials/m-p/25394#M1526 Uri_Bialik 2018-10-18T08:57:20Z