Wildfly 32 - Audit log - Hide secret expressions

[Alexander Belya (AlexSW)]

Hello everyone. There is a question regarding the recording of the audit log. When a command is executed to encrypt a phrase through the Elytron subsystem (/subsystem=elytron/expression=encryption:create-expression(resolver=default,clear-text="<phrase>“)), an entry about this appears in the audit log, and, accordingly, there is a risk of data compromise if an attacker penetrates the the server. Is there a way to hide sensitive information in the audit log?

[Brian Stansberry]

Thanks for mentioning this.

No, there is no way hide sensitive information in the audit log. We will update the documentation warning in https://docs.wildfly.org/36/WildFly_Elytron_Security.html#management-operation-6 to note that managing audit logging should be disabled before using this operation. We are triaging if this is a vulnerability.

Best regards,

Brian Stansberry

WildFly project lead

[Alexander Belya (AlexSW)]

Thank you! Do I understand correctly that in this case you need to disable audit logging with the command

/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=false)

after disabling history (history --disable)?

пятница, 25 апреля 2025 г. в 02:28:04 UTC+10, Brian Stansberry:

[Brian Stansberry]

Hi Alexander,

Yes, that's correct, setting 'enabled' to false will turn off the management audit logging, while still leaving the bulk of the configuration in place to make it easy to enable again.

Best regards,

Brian

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wildfly/985adc7a-7694-432d-9a1e-1fdf06f8da96n%40googlegroups.com.

--

Brian Stansberry

Principal Architect, Red Hat JBoss EAP

WildFly Project Lead

He/Him/His

[Alexander Belya (AlexSW)]

Brian, and will we be able to report on the results of the audit whether this observation is a vulnerability, and if so, in which version of WildFly will this be addressed?

вторник, 29 апреля 2025 г. в 06:30:57 UTC+10, Brian Stansberry:

[Brian Stansberry]

Hi Alexander,

Based on current design, this behavior is expected and is not classified as a vulnerability.

I filed https://issues.redhat.com/browse/WFCORE-7247 as an RFE to consider adding a filtering mechanism to the audit logging. I can't say for sure when someone would do that.

Best regards,

Brian

To view this discussion visit https://groups.google.com/d/msgid/wildfly/8c3622aa-ff21-4a10-a30d-08e68aef2e1bn%40googlegroups.com.

[Alexander Belya (AlexSW)]

Good afternoon.

In continuation of this topic, I would like to highlight a solution that will allow to avoid passwords appearing in plaintext in jboss-cli history and in audit log when encrypting them, as well as to reduce the number of commands and possible errors when executing them.

WF comes with a utility elytron-tool.sh, which allows you to perform various operations related to vaults in the Elytron subsystem. Among them is the password encryption operation.

The command for encryption will look like this:

$WILDFLY_HOME/bin/elytron-tool.sh credential-store --location /path/to/credential-store --type PropertiesCredentialStore --encrypt key --clear-text “<password>”

Command output:

Clear text encrypted to token 'RUxZAUMQbD0V34xzetwIDY5WsV/u/e49GPEdlzE******' using alias 'key'.

From this output you need to parse the token (bolded) and paste it into the following form:

${ENC::<resolver>:<token>}

This finished form can be used in the WF configuration.

As I said earlier, information about this command is not output to the jboss-cli history or audit log, because this utility does not interact with them directly.

вторник, 6 мая 2025 г. в 09:09:58 UTC+10, Brian Stansberry:

[Brian Stansberry]

Hi Alexander,

Yes, this is a very good point, one I should have mentioned earlier, and one that we can point to in our docs along with any admonition to be careful about the history / logging.

The use case for the CLI operation is for where local access to the credential store is not available. If that is not an issue it is better to use elytron-tool.sh.

Best regards,

Brian

To view this discussion visit https://groups.google.com/d/msgid/wildfly/478f6aea-52bd-43b1-9450-7840217b3ffen%40googlegroups.com.

[Brian Stansberry]

Beware though, that with that approach, the clear text value may be visible to other users and may also be cached in the command history of your shell.

[Brian Stansberry]

Sorry, I hit enter too early. Without the  --clear-text parameter, the tool will prompt for the clear text avoiding the issue of it being visible to others.