Filtering sensitive information from automation.log

Hello,

Is there any configuration to filter out sensitive information from automation.log based on keywords?

The particular issue I am currently having is with Reloading state var data: log records that show all state variables passed into playbook including logins and passwords.

Fields in an automate schema can be declared as passwords which will prevent them from being logged, and will also encrypt them. You can’t do that with state vars, however, because there’s no schema, so we have no idea what is a password or not - it’s just raw values. If the state vars are handled by yourself in a Ruby automate method, I believe you can encrypt/decrypt them using ManageIQ::Password, which will, in turn prevent them from being logged. Something like

$evm.set_state_var("var", ManageIQ::Password.try_encrypt(password))
password = ManageIQ::Password.try_decrypt($evm.get_state_var("var"))

Ansible state vars are a little different because they are transferred via STDOUT using the ansible set_stats module. If you are seeing values, I believe your playbook must be logging those with set_stats. If you take a look at the STDOUT of your playbook run do you also see the value in plaintext?

Hi @Fryguy , thanks for your reply.

If the state vars are handled by yourself in a Ruby automate method, I believe you can encrypt/decrypt them using ManageIQ::Password, which will, in turn prevent them from being logged

Yes, state vars are set from ruby and are read afterwards by ansible playbook. If state_vars are encrypted in ruby, is it possible to decrypt them on ansible side?

If you are seeing values, I believe your playbook must be logging those with set_stats. If you take a look at the STDOUT of your playbook run do you also see the value in plaintext?

I do not have any isses with playbook output as it can be controlled in playbook with no_log parameters and with log levels in ManageIQ.

The case I am refering to is specific to automation.log messages of following format:

[----] I, [2021-08-23T08:12:32.717082 #2347:2ada74e89968]  INFO -- : Q-task_id([r120_miq_provision_111]) Reloading state var data: ---
cluster_name: cluster1
vm_name: vmname1
hostname: vcenter_hostname
username: vcenter_username
pass: vcenter_password

I would like to find out if it is possible to mask specific parameters, or if not possible, completely disable this kind of log records.

No, unless the decryption algorithm were rewritten as an ansible module. Additionally you’d need the encryption key copied to wherever ansible is running. If localhost, it might be available.

Right, but the actual way playbooks are run under the covers is to expose those via STDOUT, otherwise we wouldn’t be able to collect them to pass onto the next stage.

At the moment I don’t think you can, but it does make sense for us to sanitize the output from dumping the state var hashes. If we were to use our existing sanitizer though, none of those existing keys would be filtered since they don’t fall into a predefined list. That being said, we could probably add a way to add keys in the settings for filtering.