Ansible become-success command is logging variables

Jonathan_Nunez_Aguin · October 12, 2017, 3:17pm

Hello,

I have a small play that runs in a remote server as a user X, during the become process, Ansible seems to invoke a remote command (command.py) that gets logged in the remote machine syslog. If the task for this play contains an environment variable, like PASSWORD for example, it will also be included in such log. Syslog is owned by root and not world-readable, but still I would like to be prevented. Is there a way to tell Ansible to include that environment variable inside the command.py?

Example play:

- hosts: dms
  gather_facts: no
  become: true
  become_user: remote_user
  tasks:
    - name: Test command
      shell: echo hello
      environment:
        PASSWORD: "supersecretpassword"

The logging observed on the syslog file (/var/log/messages):

Oct 12 15:13:39 remote-host sudo:   myuser : TTY=pts/1 ; PWD=/home/myuser ; USER=remote_user ; COMMAND=/bin/bash -c echo BECOME-SUCCESS-gethoacihsravpsppeeepnhdcqkzgrpt; PASSWORD=supersecretpassword /usr/bin/python /tmp/ansible-tmp-1507821212.27-201142262398347/command.py
Oct 12 15:13:39 remote-host ansible-command: Invoked with warn=True executable=None _uses_shell=True _raw_params=echo hello removes=None creates=None chdir=None stdin=None

Thanks!

system · October 12, 2017, 3:51pm

No, you CAN use the shell module instead and define the var inline:

- shell: PASSWORD=xxx /run/stuff

Another option is to 'silence' that command via `no_log: True` or even
globally avoid logging on target via the 'no_target_syslog' setting.

Jonathan_Nunez_Aguin · October 12, 2017, 4:04pm

Hey Brian,

Unfortunately, “no_target_syslog” didn’t make any difference, I am still seeing the become-success message on the syslog, however the other ansible-command line has gone, although that one didn’t contain the password. The same behaviour was observed with no_log.

Moving the variable to be inline solves the issue partially as now the task output shows it.

Is there anything else I can try out?

Thanks!

system · October 12, 2017, 4:18pm

Ah, sorry, I forgot that running sudo itself produces log entries
over which Ansible has no control. My previous email just lets you
turn off the ones Ansible creates directly.

Topic		Replies	Views
Ansible Not Using `ansible_become_pass` Variable Ansible Project ubuntu	5	0	April 25, 2016
no_log doesn't prevent logging Ansible Project	0	0	August 14, 2015
Variables containing passwords - Filtering Ansible Project	2	1	July 17, 2014
How to add become password in a task? Ansible Project	2	20	November 15, 2017
I can access ansible_ssh_pass but not ansible_become_pass? Ansible Developer	6	0	November 28, 2018

Ansible become-success command is logging variables

Related topics