(1) Event Sigma main event: 
A secret, such as a password, cryptographic key, or token is stored in a file that is persisted to the code repository. Any user with access to the code repository may obtain and use the secret to access restricted resources.






(2) Event remediation: 
Avoid committing to the code repository any files that contain secrets or sensitive data. These files should be managed outside the code repository, preferably using a secure vault or similar, and loaded onto the system as needed.





1    	import os
2    	
3    	# generic system paths
4    	chkconfig_exec = "/sbin/chkconfig"
5    	find_exec = "/usr/bin/find"
6    	killall_exec = "/usr/bin/killall"
7    	rm_exec = "/usr/bin/rm"
8    	ruby_exec = "/usr/bin/ruby"
9    	service_exec = ""
10   	rc_service_exec = ""
11   	rc_update_exec = ""
12   	systemctl_exec = "/usr/bin/systemctl"
13   	systemd_unit_path = "/etc/systemd/system:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:/usr/lib/systemd/system:/usr/lib/systemd/system:/lib/systemd/system".split(":")
14   	certutil_exec = "/usr/bin/certutil"
15   	
16   	
17   	# pcs
18   	pcs_version = "0.12.2+100-8e491"
19   	pcs_bundled_packages_dir = os.path.join("/usr/lib64/pcs/pcs_bundled", "packages")
20   	pcs_data_dir = "/usr/lib64/pcs/data/"
21   	
22   	
23   	# pcsd
24   	pcsd_exec_location = "/usr/lib64/pcsd"
25   	pcsd_public_dir = "/usr/lib64/pcsd/public"
26   	pcsd_webui_dir = "/usr/lib64/pcsd/public/ui"
27   	pcs_capabilities = os.path.join(pcsd_exec_location, "capabilities.xml")
28   	# Set pcsd_gem_path to None if there are no bundled ruby gems and the path does
29   	# not exists.
30   	pcsd_gem_path = "/usr/lib64/pcsd/vendor/bundle/" or None
31   	pcsd_unix_socket = "/var/run/pcsd.socket"
32   	pcsd_ruby_socket = "/var/run/pcsd-ruby.socket"
33   	pcsd_log_location = os.path.join(
34   	    os.environ.get("LOGS_DIRECTORY", "/var/log/pcsd"),
35   	    "pcsd.log",
36   	)
37   	
38   	pcsd_default_port = 2224
39   	pcsd_config = "/etc/sysconfig/pcsd"
40   	
41   	pcsd_var_location = os.environ.get(
42   	    "STATE_DIRECTORY", "/var/lib/pcsd"
43   	)
44   	pcsd_cert_location = os.path.join(pcsd_var_location, "pcsd.crt")
45   	pcsd_dr_config_location = os.path.join(pcsd_var_location, "disaster-recovery")
46   	pcsd_key_location = os.path.join(pcsd_var_location, "pcsd.key")
47   	pcsd_known_hosts_location = os.path.join(pcsd_var_location, "known-hosts")
48   	pcsd_settings_conf_location = os.path.join(
49   	    pcsd_var_location, "pcs_settings.conf"
50   	)
51   	pcsd_users_conf_location = os.path.join(pcsd_var_location, "pcs_users.conf")
52   	
53   	default_ssl_ciphers = "DEFAULT:!RC4:!3DES:@STRENGTH"
54   	# Ssl options are based on default options in python (maybe with some extra
55   	# options). Format here is the same as the PCSD_SSL_OPTIONS environment
56   	# variable format (string with coma as a delimiter).
57   	default_ssl_options = ",".join(
58   	    [
59   	        "OP_NO_COMPRESSION",
60   	        "OP_CIPHER_SERVER_PREFERENCE",
61   	        "OP_SINGLE_DH_USE",
62   	        "OP_SINGLE_ECDH_USE",
63   	        "OP_NO_SSLv2",
64   	        "OP_NO_SSLv3",
65   	        "OP_NO_TLSv1",
66   	        "OP_NO_TLSv1_1",
67   	        "OP_NO_RENEGOTIATION",
68   	    ]
69   	)
70   	default_request_timeout = 60
71   	gui_session_lifetime_seconds = 60 * 60
72   	# replaced pcsd_token_max_bytes = 256. The bytes were always base64 encoded
73   	# - resulting in ~345 chars, we need to make this value at least 345 chars
74   	# to stay backwards compatible
75   	pcsd_token_max_chars = 512
76   	
77   	# pcsd task scheduler settings
78   	async_api_scheduler_interval_ms = 100
79   	pcsd_worker_count = 10
80   	pcsd_temporary_workers = 10
81   	pcsd_worker_reset_limit = 100
82   	pcsd_deadlock_threshold_timeout = 5
83   	task_unresponsive_timeout_seconds = 60 * 60
84   	task_abandoned_timeout_seconds = 1 * 60
85   	task_deletion_timeout_seconds = 1 * 60
86   	
87   	# pcsd cfgsync settings
88   	pcs_cfgsync_ctl_location = os.path.join(pcsd_var_location, "cfgsync_ctl")
89   	pcs_cfgsync_file_backup_count_default = 50
90   	pcs_cfgsync_file_backup_count_minimum = 0
91   	pcs_cfgsync_thread_interval_default = 600
92   	pcs_cfgsync_thread_interval_minimum = 60
93   	pcs_cfgsync_thread_interval_previous_not_connected_default = 60
94   	pcs_cfgsync_thread_interval_previous_not_connected_minimum = 20
95   	
96   	
97   	# corosync
98   	# Used only in settings.py and utils.py. Make it private once utils.py is removed.
99   	corosync_execs = "/srv/corosync/origin/camelback/sbin"
100  	corosync_conf_dir = "/srv/corosync/origin/camelback/etc/corosync"
101  	corosync_exec = os.path.join(corosync_execs, "corosync")
102  	corosync_cfgtool_exec = os.path.join(corosync_execs, "corosync-cfgtool")
103  	corosync_quorumtool_exec = os.path.join(corosync_execs, "corosync-quorumtool")
104  	corosync_conf_file = os.path.join(corosync_conf_dir, "corosync.conf")
105  	corosync_uidgid_dir = os.path.join(corosync_conf_dir, "uidgid.d")
106  	corosync_authkey_file = os.path.join(corosync_conf_dir, "authkey")
107  	# Must be set to 256 for corosync to work in FIPS environment.
108  	corosync_authkey_bytes = 256
109  	corosync_log_file = "/srv/corosync/origin/camelback/var/log/cluster/corosync.log"
110  	
111  	
112  	# corosync qnetd and qdevice
113  	corosync_qnet_execs = "/srv/corosync-qdevice/origin/main/bin"
114  	corosync_qnetd_certutil_exec = os.path.join(
115  	    corosync_qnet_execs, "corosync-qnetd-certutil"
116  	)
117  	corosync_qnetd_tool_exec = os.path.join(
118  	    corosync_qnet_execs, "corosync-qnetd-tool"
119  	)
120  	corosync_qdevice_execs = "/srv/corosync-qdevice/origin/main/sbin"
121  	corosync_qdevice_conf_dir = "/srv/corosync-qdevice/origin/main/etc/corosync"
122  	corosync_qdevice_net_server_certs_dir = os.path.join(
123  	    corosync_qdevice_conf_dir, "qnetd/nssdb"
124  	)
125  	corosync_qdevice_net_server_ca_file_name = "qnetd-cacert.crt"
126  	corosync_qdevice_net_client_certs_dir = os.path.join(
127  	    corosync_qdevice_conf_dir, "qdevice/net/nssdb"
128  	)
129  	corosync_qdevice_net_client_ca_file_name = "qnetd-cacert.crt"
130  	corosync_qdevice_tool_exec = os.path.join(
131  	    corosync_qdevice_execs, "corosync-qdevice-tool"
132  	)
133  	corosync_qdevice_net_certutil_exec = os.path.join(
134  	    corosync_qdevice_execs, "corosync-qdevice-net-certutil"
135  	)
136  	
137  	
138  	# pacemaker
139  	# Used only in settings.py and utils.py. Make it private once utils.py is removed.
140  	pacemaker_execs = "/srv/pacemaker/origin/3.0/sbin"
141  	pacemaker_authkey_file = "/srv/pacemaker/origin/3.0/etc/pacemaker/authkey"
142  	# Using the same value as for corosync. Higher values MAY work in FIPS.
143  	pacemaker_authkey_bytes = 256
144  	pacemaker_local_state_dir = os.path.join(
145  	    "/", "/srv/pacemaker/origin/3.0/var", "lib/pacemaker"
146  	)
147  	pacemaker_daemon_dir = "/srv/pacemaker/origin/3.0/libexec/pacemaker"
148  	pacemaker_schedulerd_exec = os.path.join(
149  	    pacemaker_daemon_dir, "pacemaker-schedulerd"
150  	)
151  	pacemakerd_exec = os.path.join(pacemaker_execs, "pacemakerd")
152  	iso8601_exec = os.path.join(pacemaker_execs, "iso8601")
153  	pacemaker_controld_exec = os.path.join(pacemaker_daemon_dir, "pacemaker-controld")
154  	pacemaker_based_exec = os.path.join(pacemaker_daemon_dir, "pacemaker-based")
155  	pacemaker_fenced_exec = os.path.join(pacemaker_daemon_dir, "pacemaker-fenced")
156  	crm_attribute_exec = os.path.join(pacemaker_execs, "crm_attribute")
157  	crm_resource_exec = os.path.join(pacemaker_execs, "crm_resource")
158  	crm_mon_exec = os.path.join(pacemaker_execs, "crm_mon")
159  	crm_report_exec = os.path.join(pacemaker_execs, "crm_report")
160  	crm_rule_exec = os.path.join(pacemaker_execs, "crm_rule")
161  	crm_diff_exec = os.path.join(pacemaker_execs, "crm_diff")
162  	crm_simulate_exec = os.path.join(pacemaker_execs, "crm_simulate")
163  	crm_ticket_exec = os.path.join(pacemaker_execs, "crm_ticket")
164  	crm_verify_exec = os.path.join(pacemaker_execs, "crm_verify")
165  	crm_node_exec = os.path.join(pacemaker_execs, "crm_node")
166  	cibadmin_exec = os.path.join(pacemaker_execs, "cibadmin")
167  	stonith_admin_exec = os.path.join(pacemaker_execs, "stonith_admin")
168  	pacemaker_api_result_schema = "/srv/pacemaker/origin/3.0/share/pacemaker/api/api-result.rng"
169  	cib_dir = "/srv/pacemaker/origin/3.0/var/lib/pacemaker/cib"
170  	pacemaker_uname = "hacluster"
171  	pacemaker_gname = "haclient"
172  	pacemaker_wait_timeout_status = 124
173  	
174  	
175  	# resource / stonith agents
176  	fence_agent_execs = "/srv/fence-agents/origin/main/sbin"
177  	
178  	
179  	# sbd
180  	sbd_exec = "/srv/sbd/origin/main-pacemaker-3.0/sbin/sbd"
181  	sbd_config = "/srv/sbd/origin/main-pacemaker-3.0/etc/sysconfig/sbd"
182  	# this limit is also mentioned in docs, change there as well
183  	sbd_max_device_num = 3
184  	# message types are also mentioned in docs, change there as well
185  	sbd_message_types = ["test", "reset", "off", "crashdump", "exit", "clear"]
186  	sbd_watchdog_default = "/dev/watchdog"
187  	
188  	
189  	# booth
190  	# Booth does not support keys longer than 64 bytes.
191  	booth_authkey_bytes = 64
192  	booth_authkey_file_mode = 0o600
193  	booth_exec = "/srv/booth/origin/main-pacemaker-3.0/sbin/booth"
194  	booth_config_dir = "/srv/booth/origin/main-pacemaker-3.0/etc/booth"
195  	booth_enable_authfile_set_enabled = False
196  	booth_enable_authfile_unset_enabled = False or booth_enable_authfile_set_enabled
197  	
198  	
199  	# path manager
200  	_ocf_1_0_schema_filename = "ocf-1.0.rng"
201  	_ocf_1_1_schema_filename = "ocf-1.1.rng"
202  	
203  	
204  	class _PathManager:
205  	    @property
206  	    def ocf_1_0_schema(self):
207  	        return os.path.join(pcs_data_dir, _ocf_1_0_schema_filename)
208  	
209  	    @property
210  	    def ocf_1_1_schema(self):
211  	        return os.path.join(pcs_data_dir, _ocf_1_1_schema_filename)
212  	
213  	    @property
214  	    def pcs_data_dir(self):
215  	        return pcs_data_dir
216  	
217  	
218  	path = _PathManager()
219