Ansible logs sensitive information #1617
Description
Running Algo on Ubuntu leaves sensitive information in the system logs, including complete WireGuard configs and the IPsec CA password. Log messages like those below appear in /var/log/syslog and journalctl, where they can be read by root or anyone in the adm group.
I've found ansible-command log entries on my Ubuntu 18.04 system as far back as 2018-05-06, so this is not new, I just never noticed it before. These examples are from Ubuntu 19.10.
Oct 14 08:01:05 eoan ansible-command[5813]: Invoked with chdir=configs/68.183.56.58/wireguard/ executable=bash _raw_params=umask 077; which segno && segno --scale=5 --output=phone.png "[Interface]
PrivateKey = OFSh2JXN9EKP8TP3ysoLapv9fkdb78Og7tw1dS/FS38=
Address = 10.19.49.2/24 ,fd9d:bc11:4021::2/48
DNS = 172.19.208.207, fd00::3:d0cf
[Peer]
PublicKey = dv1og4yn7XoIIrOGIY0iWXlTnO1YxpEEibTXVWyf5BI=
PresharedKey = gk+jBYmyYEMtwCfK1kMJ/8x1yli9t6P+B1/bL6BV37Q=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 68.183.56.58:51820
" || true
_uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None creates=None removes=None stdin=None
Oct 14 08:06:17 eoan ansible-command[6849]: Invoked with chdir=configs/68.183.56.58/ipsec//.pki/ creates=certs/68.183.56
.58_crt_generated executable=bash _raw_params=umask 077; openssl req -utf8 -new -newkey ec:ecparams/secp384r1.pem -confi
g <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=IP:68.183.56.58,IP:2604:a880:800:c1::25e:e001")) -keyout priv
ate/68.183.56.58.key -out reqs/68.183.56.58.req -nodes -passin pass:"Kjyz5VKGHrjRbK_P" -subj "/CN=68.183.56.58" -batch &
& openssl ca -utf8 -in reqs/68.183.56.58.req -out certs/68.183.56.58.crt -config <(cat openssl.cnf <(printf "[basic_exts
]\nsubjectAltName=IP:68.183.56.58,IP:2604:a880:800:c1::25e:e001")) -days 3650 -batch -passin pass:"Kjyz5VKGHrjRbK_P" -su
bj "/CN=68.183.56.58" && touch certs/68.183.56.58_crt_generated
_uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True arg
v=None removes=None stdin=None