From 07bb49d3c6006663bf5249f9c2137424f263d143 Mon Sep 17 00:00:00 2001
From: "Bryn M. Reeves" <bmr@redhat.com>
Date: Fri, 18 Jul 2014 12:49:52 +0100
Subject: [PATCH 1/4] [ds] exclude paths containing directory server secrets

Signed-off-by: Bryn M. Reeves <bmr@redhat.com>

Conflicts:
	sos/plugins/ds.py
---
 sos/plugins/ds.py | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/sos/plugins/ds.py b/sos/plugins/ds.py
index 49ec7e8..1fcce7b 100644
--- a/sos/plugins/ds.py
+++ b/sos/plugins/ds.py
@@ -1,4 +1,5 @@
 ## Copyright (C) 2007 Red Hat, Inc., Kent Lamb <klamb@redhat.com>
+## Copyright (C) 2014 Red Hat, Inc., Bryn M. Reeves <bmr@redhat.com>
 
 ## This program is free software; you can redistribute it and/or modify
 ## it under the terms of the GNU General Public License as published by
@@ -40,11 +41,25 @@ class ds(sos.plugintools.PluginBase):
         return False
 
     def setup(self):
+        self.add_forbidden_path("/etc/dirsrv/slapd*/pin.txt")
+        self.add_forbidden_path("/etc/dirsrv/slapd*/key3.db")
+        self.add_forbidden_path("/etc/dirsrv/slapd*/pwfile.txt")
+        self.add_forbidden_path("/etc/dirsrv/slapd*/*passw*")
+        self.add_forbidden_path("/etc/dirsrv/admin-serv/key3.db")
+        self.add_forbidden_path("/etc/dirsrv/admin-serv/admpw")
+        self.add_forbidden_path("/etc/dirsrv/admin-serv/password.conf")
         if not self.check_version():
             self.addAlert("Directory Server not found.")
         elif "ds8" in self.check_version():
-            self.addCopySpec("/etc/dirsrv/slapd*")
-            self.addCopySpec("/var/log/dirsrv/*")
+            self.addCopySpecs([
+                "/etc/dirsrv/slapd*/cert8.db",
+                "/etc/dirsrv/slapd*/certmap.conf",
+                "/etc/dirsrv/slapd*/dse.ldif",
+                "/etc/dirsrv/slapd*/dse.ldif.startOK",
+                "/etc/dirsrv/slapd*/secmod.db",
+                "/etc/dirsrv/slapd*/schema/*.ldif",
+                "/var/log/dirsrv/*"
+            ])
         elif "ds7" in self.check_version():
             self.addCopySpec("/opt/redhat-ds/slapd-*/config")
             self.addCopySpec("/opt/redhat-ds/slapd-*/logs")
-- 
1.9.3


From a4ad26f2f768660a15e86d6face3de483c8f0d8d Mon Sep 17 00:00:00 2001
From: "Bryn M. Reeves" <bmr@redhat.com>
Date: Fri, 18 Jul 2014 20:12:51 +0100
Subject: [PATCH 2/4] [ds] add 'certutil -L' collection for slapd instances

Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/ds.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sos/plugins/ds.py b/sos/plugins/ds.py
--- a/sos/plugins/ds.py
+++ b/sos/plugins/ds.py
@@ -48,6 +48,14 @@ class ds(sos.plugintools.PluginBase):
         self.add_forbidden_path("/etc/dirsrv/admin-serv/key3.db")
         self.add_forbidden_path("/etc/dirsrv/admin-serv/admpw")
         self.add_forbidden_path("/etc/dirsrv/admin-serv/password.conf")
+        try:
+            for d in os.listdir("/etc/dirsrv"):
+                if d[0:5] == 'slapd':
+                    certpath = os.path.join("/etc/dirsrv", d)
+                    self.collectExtOutput("certutil -L -d %s" % certpath)
+        except:
+            self.soslog.warn("could not list /etc/dirsrv")
+
         if not self.check_version():
             self.addAlert("Directory Server not found.")
         elif "ds8" in self.check_version():
-- 
1.9.3


From b5ec0407a8d4e5c04e23995803142d4fb4c07233 Mon Sep 17 00:00:00 2001
From: "Bryn M. Reeves" <bmr@redhat.com>
Date: Mon, 28 Jul 2014 17:24:55 +0100
Subject: [PATCH 3/4] [backport][ldap] add more forbidden paths and restrict
 file collection

  commit 462c830fa661e308a52067fc8290b31e45be67c3
  Author: Bryn M. Reeves <bmr@redhat.com>
  Date:   Fri Jul 18 19:05:12 2014 +0100

      [ldap] add more forbidden paths and restrict file collection

      Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/ldap.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sos/plugins/ldap.py b/sos/plugins/ldap.py
index 4a41a83..ee2b964 100644
--- a/sos/plugins/ldap.py
+++ b/sos/plugins/ldap.py
@@ -41,9 +41,16 @@ class ldap(sos.plugintools.PluginBase):
                 self.addDiagnose("%s does not exist and can cause connection issues involving TLS" % ldapopts["TLS_CACERTDIR"])
 
     def setup(self):
+        self.addForbiddenPath("/etc/openldap/certs/password")
+        self.addForbiddenPath("/etc/openldap/certs/pwfile.txt")
+        self.addForbiddenPath("/etc/openldap/certs/pin.txt")
+        self.addForbiddenPath("/etc/openldap/certs/*passw*")
+        self.addForbiddenPath("/etc/openldap/certs/key3.db")
         self.addCopySpec("/etc/ldap.conf")
+        self.addCopySpec("/etc/openldap/ldap.conf")
+        self.addCopySpec("/etc/openldap/cert8.db")
+        self.addCopySpec("/etc/openldap/secmod.db")
         self.addCopySpec("/etc/nslcd.conf")
-        self.addCopySpec("/etc/openldap")
         self.addCopySpec("/etc/pam_ldap.conf")
 
     def postproc(self):
-- 
1.9.3


From a57f933bc5c93e549f834763219f43cdd7d13c65 Mon Sep 17 00:00:00 2001
From: "Bryn M. Reeves" <bmr@redhat.com>
Date: Mon, 28 Jul 2014 17:26:10 +0100
Subject: [PATCH 4/4] [backport] [ldap] add output of 'certutil -L'

  commit 9a4a594b950478c8ab375967206bd08a7baf2739
  Author: Bryn M. Reeves <bmr@redhat.com>
  Date:   Fri Jul 18 19:07:02 2014 +0100

      [ldap] add output of 'certutil -L'

      Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/ldap.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sos/plugins/ldap.py b/sos/plugins/ldap.py
--- a/sos/plugins/ldap.py
+++ b/sos/plugins/ldap.py
@@ -52,6 +52,7 @@ class ldap(sos.plugintools.PluginBase):
         self.addCopySpec("/etc/openldap/secmod.db")
         self.addCopySpec("/etc/nslcd.conf")
         self.addCopySpec("/etc/pam_ldap.conf")
+        self.collectExtOutput("certutil -L -d /etc/openldap")
 
     def postproc(self):
         self.doRegexSub("/etc/ldap.conf", r"(\s*bindpw\s*)\S+", r"\1********")
-- 
1.9.3