cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
tirtht
Occasional contributor

Hide sensitive information in logs

we are using basic msi project that creates an exe file. we are using deferred custom action and customactiondata to pass the data to csharp customaction. we need to hide password into the log file and we have tried following ways, (we also looked into available solutions and by which able to hide only few instances of the passwords but still at few places passwords are being logged) but unfortunately it display the password inside the log file.

(1) MsiHiddenProperties property with the password property value and custom action that uses that properties. (all the values with delimeter semicolon)

(2) we have tried by adding 8192 into the customaction type and also added prooeprties name into target column

(3) I have also checked that password property is exist into the secure property.

Labels (1)
0 Kudos
12 Replies
Flexera Jenifer
Flexera

Re: Hide sensitive information in logs

Hi @tirtht ,

 

"but still at few places passwords are being logged" can you tell us what instances like which execution sequence level doesn't work?

in general MsiHiddenProperties should do the work,the below link can give more information:

https://docs.microsoft.com/en-us/windows/win32/msi/preventing-confidential-information-from-being-wr...

Note:

Use the custom action type flag 0x2000 / 8192 Custom Action Hidden Target Option to prevent logging the value of a deferred action's CustomActionData property, for example. Again this does not propagate to any further logging based on values the custom action extracts from this property. Note that you must add (technically bitwise OR) the value 8192 to the existing value in the Type column of the CustomAction table; the other bits of that value contain important information as well, such as its base type and its execution options.

Thanks,

Jenifer

tirtht
Occasional contributor

Re: Hide sensitive information in logs

hello!

thanks for your prompt response. 

PFA - solution on which the password is being logged

moreover, we have also tried by adding 8192 to the custom action type but still it logs into that.

once again, your help in this matter will highly appreciated.

0 Kudos
Flexera Jenifer
Flexera

Re: Hide sensitive information in logs

Hi @tirtht ,

 

Thanks for sharing sample files.I had quickly checked data in project files where things seem to be fine.

  • I couldn't open solution file in either VS2015/VS2019/VS2012 as well.
  • But on building ism file,i could get setup without files been added.
  • After installing the setup,I could see password property DEMODATA  in log file which is been masked or hidden properly.
  • Where exactly DEMODATA  isn't getting masked is the place it is missing here?It would be better if you could clarify here.

Hope i am in-sync with your setup other than files from ClassLibrary1 project being added.

 

Thanks,

Jenifer

tirtht
Occasional contributor

Re: Hide sensitive information in logs

Hello Jenifer,

apologies for inconvenience caused.

I am in concordance with all your points. as you rightly mentioned, property is password (also MsiHiddenProperties is implemented) and still DEMODATA property is not masked. 

kindly provide solution Or any way which we implemented wrong, thanks in advance.

0 Kudos
Flexera Jenifer
Flexera

Re: Hide sensitive information in logs

Hi @tirtht ,

As MsiHiddenProperties is not available in Deferred mode, its value has to be passed in CustomActionData. InstallShield will hide the property value if the MsiHiddenProperties is passed in the CustomActionData. To do this for a Managed code custom action, add the following to the Custom Action that sets the CustomActionData:

MsiHiddenProperties="[MsiHiddenProperties]"

 

i couldn't see setproperty custom action which tries to set MsiHiddenProperties to CustomActionData

 

Below link can help you:

https://helpnet.flexerasoftware.com/installshield22helplib/helplibrary/AccessingProps-DeferredCAs.ht...

 

What you should do is insert a type 51 custom action (Set Property) in IMMEDIATE context. The name of the property you set should be the NAME of the deferred custom action you want to use. So if the name of the deferred CA is MyAction, the name of the property you set should be MyAction

Thanks,

Jenifer

tirtht
Occasional contributor

Re: Hide sensitive information in logs

Thanks for your response.

currently, I am trying your solution and will revert the result.

meanwhile, could you please give me reference where I can find (just for my reference so in future avoid such type of implementation) supported  and non-supported items with deferred custom action, especially for the MsiHiddenProperties one.

0 Kudos
Flexera Jenifer
Flexera

Re: Hide sensitive information in logs

Hi @tirtht ,

 

To get idea on different custom action types,below link can help:

https://helpnet.flexerasoftware.com/installshield22helplib/helplibrary/IHelpCustomActionsInScriptExe...

Note:

Deferred, commit, and rollback custom actions in Basic MSI and InstallScript MSI installations have access to only some of the built-in Windows Installer properties: CustomActionDataProductCode, and UserSID.

More information can be found in:

https://helpnet.flexerasoftware.com/installshield21helplib/helplibrary/AccessingProps-DeferredCAs.ht...

 

Thanks,

Jenifer

0 Kudos
tirtht
Occasional contributor

Re: Hide sensitive information in logs

hello, 

I have tried your solution -

 

below is the snap of all the steps. but it gives the exception

 

exception detail - CustomAction CallToDef returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

 

firstly, value of MsiHiddenPropertis - 

I have set it to- [DEMODATA] - Only the password property.

step- 2 - I have changed the setproperty custom action (type 51) to the below value 

Property Name - CallToDef (same as custom action)

Property Value - MsiHiddenProperties="[MsiHiddenProperties]";[CURRENTDIRECTORY]

 

Any other change do I need to make ?

0 Kudos
tirtht
Occasional contributor

Re: Hide sensitive information in logs

one more update - 

 

I have changed the value for now of MsiHiddenProperty to this => MsiHiddenProperties="[MsiHiddenProperties]"

and it called my custom action without any error / exception. :) 

 

but now problem is inside the code (C#) while I fetch the value of CustomActionData it gives me like this => 

"MsiHiddenProperties=\"[DEMODATA]\""

 

so as you can see, this is not the actual value of the DEMODATA. instead this is the name of the property. 

PFB - snapshot for csharp code that I used.

Code line whch i used to fetch CustomActionData - 

public bool GetTest(int msiHandler)
{
System.Diagnostics.Debugger.Launch();
using (Msi.Install msi = Msi.CustomActionHandle(msiHandler))
{
string data = msi.GetProperty("CustomActionData");
}
return true;
}


 

0 Kudos