Can you change the platform so that passwords in procedures are not stored in clear text and in the logs
N
NCT
Please can I feature request that somehow passwords are not stored in clear text or in the logs. eg in the procedure to create an admin user https://scripts.itarian.com/frontend/web/topic/create-user-with-admin-privilege
R
Robin
From a security point of view we totally understand the requirement as the passwords are stored in plain text due to our logs keeping a record of what the parameter was set to at the point of execution.
Without speaking to the dev team to see what is technically possible, one idea that comes to mind is a simple tick box we provide that states to not store this data in the log.
Would this be enough?
N
NCT
Robin: That's a good idea, so long as it is not stored anywhere else ie in your backend DB, since it is currently also stored locally in the RMMService.log file, which is not great!
At the moment, I am using a dummy password on Itarian and then changing it locally which wastes time and increases the likelihood of a typo.
m
myr
NCT: The issue is not just with the password visible in the log. If you have added the password in the procedure script is also an issue because people who are given access to run procedure can see the procedure code and eventually see the password. I had also requested for a feature where we can control the visibility of the procedure code. As of now the moment you give access to run run procedure it automatically assigns the view permission to the procedure as well. The view permission should only be limited to the creators and all L1 and L2 staff should only be able to run the procedure but not see the content of the procedure.
N
NCT
myr: Correct about the script, but as a minimum if the username and password is entered as a parameter when manually run, it would not be saved with the procedure.
m
myr
NCT: We schedule mostly, so unfortunately it doesnt work for us. the only solution I found was using hashicorp vault integration which pulls the credentials from the store , uses it and does the job. I still want them to include in RBAC the ability to hide the procedure contents when run permission is given to a user.
m
myr
I dont think they can do anything on this. You need to setup either Azure Key Vault or Hashicorp Vault and use them in your procedure script