Skip to main content

Investigations Sensitive Data Redactions

  • Updated

When collecting investigations data it is possible it may end up containing sensitive information either via process arguments or the alert message field when using templates. For example passwords via mysql -p=apassword or docker containers started with docker run -e AWS_SECRET_ACCESS_KEY=asecretkey. To prevent that the Capsule8 Sensor offers a way to provide regular expressions for redacting information that you would like excluded.

This guide will cover basic usage and offer some example use cases. See the Go Regular Expressions package documentation for a complete overview of supported regular expression syntax.

Examples

Investigations redactions apply to any field in all enabled tables that may contain sensitive information such as program arguments and alert messages. To enable it:

cloud_meta: auto
investigations:
  reporting_interval: 10s
  sinks:
    - name: <investigations-metadata-bucket-name>
      backend: aws
      automated: true
      type: parquet
  flight_recorder:
    redactions:
      - "--password=(.*)"
      - "AWS_SECRET_ACCESS_KEY=(.*)"
    enabled: true
    tables:
      - name: "shell_commands"
        enabled: true
      - name: "tty_data"
        enabled: true
      - name: "sensors"
        enabled: true
      - name: "sensor_metadata"
        enabled: true
      - name: "connections"
        enabled: true
      - name: "process_events"
        enabled: true
      - name: "container_events"
        enabled: true

This example will take the use case above of mysql passwords, and AWS secret keys and change the alert such that --password=apassword and AWS_SECRET_ACCESS_KEY=asecretkey become --password=********** and AWS_SECRET_ACCESS_KEY=********** respectively.

It is worth noting the sensor uses regular expression capture groups in order to preserve as much data as possible but if for example, you wanted to wipe the entire AWS_SECRET_ACCESS_KEY=asecretkey you could instead use:

 

cloud_meta: auto
investigations:
  reporting_interval: 10s
  sinks:
    - name: <investigations-metadata-bucket-name>
      backend: aws
      automated: true
      type: parquet
  flight_recorder:
    redactions:
      - "--password=(.*)"
      - "AWS_SECRET_ACCESS_KEY=.*"
    enabled: true
    tables:
      - name: "shell_commands"
        enabled: true
      - name: "tty_data"
        enabled: true
      - name: "sensors"
        enabled: true
      - name: "sensor_metadata"
        enabled: true
      - name: "connections"
        enabled: true
      - name: "process_events"
        enabled: true
      - name: "container_events"
        enabled: true

The password argument will redact the same but instead of AWS_SECRET_ACCESS_KEY=********** the entire string will be replace to **********.

Errors

If one of the regular expressions is not valid, it is treated as a fatal error and will prevent Capsule8 Sensor from starting. It will include the regex that failed to compile and the corresponding error message.

Capsule8 Sensor version 4.4.0-rc3-68-gc821f9f19 (Build: )
...
2020-07-29T16:36:18.322Z INFO component="flight-recorder" initializing...
panic: flrec: invalid redaction regex '(?:*--password=(.*)|AWS_SECRET_ACCESS_KEY=(.*))' -- error parsing regexp: missing argument to repetition operator: `*`

 



Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.