cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80 automation - run-script potential leakage of credentials

Hi,

After messing with the run-script API call for automating several things on R80, I noticed that it does not filter/mask user credentials and other sensitive data sent to it. Everything gets stored in the Recent Tasks log (bottom left corner).

Here's an example from provisioning a VS using vsx_provisioning_tool:

Had to switch to local authentication (-L) to prohibit the user credentials from being exposed and stored.

Anyway, I think this should be handled by run-script itself, possibly the Check Point GUI, especially when executing obvious Check Point internal tools. Could be some regex foo or something, replacing the output with "-p xxxxxxx" instead.

Have a nice weekend!

 - Fredrik

Tags (2)
2 Replies
Admin
Admin

Re: R80 automation - run-script potential leakage of credentials

I can see that being a potentially useful addition.

Perhaps something to be considered for a later release.

Re: R80 automation - run-script potential leakage of credentials

Thank you for bringing this to our attention!

We had several RnD meetings to discuss this issue and we're considering changing the run-script command so that sensitive data will not be leaked by mistake.

In the meanwhile, you'll be glad to know that there is a way to avoid this issue today (no API change is required):

* The run-script API has an "args" parameter.

* The data in the "args" parameter is passed to the script however the data in the "args" parameter does not appear in the audit logs.

For example:

"mgmt_cli run-script script-name 'sample1' script 'my_script.sh -p $1' args 'my secret password' targets r80_20_ga -r true"

The audit log for the above script would show "my_script.sh -p $1" and will not include the secret password.

We'll update the run-script API documentation to bring it to the attention of other users.