Skip to main content

Alert Program Argument Redaction

  • Updated

When an alert is triggered it is possible it may end up containing sensitive information that is being passed via process arguments. For example passwords via mysql -p=apassword or docker containers started with docker run -e AWS_SECRET_ACCESS_KEY=asecretkey. To prevent that the Capsule8 Sensor offers a way to provide regular expressions for information you would like redacted from program arguments.

This guide will cover basic usage and offer some example use cases. See the Go Regular Expressions package documentation for a complete overview of supported regular expression syntax.

Alert Program Argument Redaction Examples

Program argument redactions apply to all output sources and can be easily turned on using:

alert_output:
  redaction_regexs:
    - "--password=(.*)"
    - "AWS_SECRET_ACCESS_KEY=(.*)"
  outputs:
    - type: stdout
      enabled: true

This example will take the use case above of mysql passwords, and AWS secret keys and change the alert such that --password=apassword and AWS_SECRET_ACCESS_KEY=asecretkey become --password=********** and AWS_SECRET_ACCESS_KEY=********** respectively.

It is worth noting the sensor uses regular expression capture groups in order to preserve as much data as possible but if for example you wanted to wipe the entire AWS_SECRET_ACCESS_KEY=asecretkey you could instead use:

alert_output:
  redaction_regexs:
    - "--password=(.*)"
    - "AWS_SECRET_ACCESS_KEY=.*"
  outputs:
    - type: stdout
      enabled: true

Which would transform the example alerts from--password=apassword and AWS_SECRET_ACCESS_KEY=asecretkey to --password=********** and ********** respectively.

Alert Program Argument Redaction Errors

If one of the regular expressions are not valid, it is treated as a fatal error and will prevent Capsule8 Sensor form starting. It will include the regex that failed to compile and the corresponding error message.

Capsule8 Sensor version 2019.09.16-dev+84a94d3-dirty (Build: )
INFO[0000] fetching metadata                            
INFO[0000] fetched metadata 
...                            
INFO[0002] Starting Embedded Analytics                  
FATA[0002] Unable to start analytics: Invalid Redaction Regex 'AWS_ACCESS_KEY=(.**)' -- error parsing regexp: invalid nested r
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.