Two bad practices: use of hard-coded passwords and admin as default user

[akondasif]

Greetings,
I am a security researcher, who is looking for security smells in Puppet scripts.

I noticed two instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.

I have removed the hard-coded passwords to mitigate this smell. Feedback is welcome.
Pull request: #229

Here is where I noticed hard-coded passwords: https://github.com/biemond/biemond-oradb/blob/master/manifests/database.pp

[akondasif]

I also noticed instances of keeping admin users as default in Puppet classes. I think this is a smell related to security. The smell can violate the ‘principle of least privilege (https://en.wikipedia.org/wiki/Principle_of_least_privilege)’ property, which recommends practitioners to design and implement system in a manner so that by default the least amount of access necessary is provided to any entity.

Would you agree with my finding?

Source: https://github.com/biemond/biemond-oradb/blob/master/manifests/database_pluggable.pp

[biemond]

Hi,
this is not a big issue and for production you can change this or change it after provisioning.
But we can better show a warning when the defaults are used or we can generate some random passwords and show the user these but then these passwords are in the puppet output.

Thanks

[akondasif]

Thanks for the insightful feedback.
I am closing the issue, but feel free to re-open the issue if necessary.