Project

General

Profile

Bug #392

Potential security risc in preludedb-admin?

Added by Paul Buetow over 8 years ago. Updated almost 7 years ago.

Status:
Assigned
Priority:
Normal
Target version:
-
Start date:
01/15/2011
Due date:
% Done:

0%

Resolution:

Description

Hi!

I wanted to ask a question regarding preludedb-admin.

I am using 0.9.14.1-2 (Debian GNU/Linux Lenny). There is no way not to
define the database password (e.g. mysql password) NOT in the command
line argument. The password shows up in plain text in the system
process list while using preludedb-admin.

It should be possible to "pipe" the arguments to preludedb-admin

The current way:

preludedb-admin delete alert "type=mysql name=prelude user=prelude
pass=prelude" --criteria "alert.create_time < $DATE"

"Better way":

some-script-generating-arguments | preludedb-admin

(Alternatively just pipe the "type=mysql name=prelude user=prelude"
part)

And / Or:

preludedb-admin --args filename

(Alternatively just read the "type=mysql name=prelude user=prelude"
part from file)

And / Or:

Read password from an environment variable:

#/bin/sh

export PRELUDE_PASS=prelude
exec preludedb-admin delete alert "type=mysql name=prelude
user=prelude" --criteria "alert.create_time < $DATE"

And / Or:

Read password from stdin if missing in the argument.

Hope you got my point :)

Thanks a lot and best regards,

History

#1 Updated by Francois POIROTTE over 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Francois POIROTTE

Faut que je retrouve la commande exacte, mais il existe un

#2 Updated by Jean-Charles ROGEZ almost 7 years ago

  • Project changed from PRELUDE SIEM to LibpreludeDB
  • Category deleted (generic)

Also available in: Atom PDF