When an alert is triggered it is possible it may end up containing sensitive information that is being passed via process arguments. For example passwords via
mysql -p=apassword or docker containers started with
docker run -e AWS_SECRET_ACCESS_KEY=asecretkey. To prevent that the Capsule8 Sensor offers a way to provide regular expressions for information you would like redacted from program arguments.
This guide will cover basic usage and offer some example use cases. See the Go Regular Expressions package documentation for a complete overview of supported regular expression syntax.
Alert Program Argument Redaction Examples
Program argument redactions apply to all output sources and can be easily turned on using:
alert_output: redaction_regexs: - "--password=(.*)" - "AWS_SECRET_ACCESS_KEY=(.*)" outputs: - type: stdout enabled: true
This example will take the use case above of mysql passwords, and AWS secret keys and change the alert such that
It is worth noting the sensor uses regular expression capture groups in order to preserve as much data as possible but if for example you wanted to wipe the entire
AWS_SECRET_ACCESS_KEY=asecretkey you could instead use:
alert_output: redaction_regexs: - "--password=(.*)" - "AWS_SECRET_ACCESS_KEY=.*" outputs: - type: stdout enabled: true
Which would transform the example alerts from
Alert Program Argument Redaction Errors
If one of the regular expressions are not valid, it is treated as a fatal error and will prevent Capsule8 Sensor form starting. It will include the regex that failed to compile and the corresponding error message.
Capsule8 Sensor version 2019.09.16-dev+84a94d3-dirty (Build: ) INFO fetching metadata INFO fetched metadata ... INFO Starting Embedded Analytics FATA Unable to start analytics: Invalid Redaction Regex 'AWS_ACCESS_KEY=(.**)' -- error parsing regexp: invalid nested r
Please sign in to leave a comment.