Skip to content

Investigations Sensitive Data Redactions

When collecting investigations data, it may contain sensitive information either via process arguments or the alert message field when using templates. For example, passwords via mysql -p=password or docker containers started with docker run -e AWS_SECRET_ACCESS_KEY=secretkey. To prevent that, Sophos Linux Sensor (SLS) offers a way to provide regular expressions for redacting information that you would like excluded.

This guide will cover basic usage and offer some example use cases. For a complete overview of supported regular expression syntax, see Go Regular Expressions package.

Examples

Investigations redactions apply to any field in all active tables that may contain sensitive information such as program arguments and alert messages. For example, take the previous use case of MySQL passwords and AWS secret keys and change the alert such that --password=apassword and AWS_SECRET_ACCESS_KEY=asecretkey become --password=* and AWS_SECRET_ACCESS_KEY=* respectively.

Here's an example:

cloud_meta: auto
investigations:
  reporting_interval: 10s
  sinks:
    - name: <investigations-metadata-bucket-name>
      backend: aws
      automated: true
      type: parquet
  flight_recorder:
    redactions:
      - "--password=(.*)"
      - "AWS_SECRET_ACCESS_KEY=(.*)"
    enabled: true
    tables:
      - name: "shell_commands"
        enabled: true
      - name: "tty_data"
        enabled: true
      - name: "sensors"
        enabled: true
      - name: "sensor_metadata"
        enabled: true
      - name: "connections"
        enabled: true
      - name: "process_events"
        enabled: true
      - name: "container_events"
        enabled: true

It's worth noting SLS uses regular expression capture groups in order to preserve as much data as possible but, for example, if you wanted to wipe the entire AWS_SECRET_ACCESS_KEY=asecretkey you could instead use:

cloud_meta: auto
investigations:
  reporting_interval: 10s
  sinks:
    - name: <investigations-metadata-bucket-name>
      backend: aws
      automated: true
      type: parquet
  flight_recorder:
    redactions:
      - "--password=(.*)"
      - "AWS_SECRET_ACCESS_KEY=.*"
    enabled: true
    tables:
      - name: "shell_commands"
        enabled: true
      - name: "tty_data"
        enabled: true
      - name: "sensors"
        enabled: true
      - name: "sensor_metadata"
        enabled: true
      - name: "connections"
        enabled: true
      - name: "process_events"
        enabled: true
      - name: "container_events"
        enabled: true

The password argument will redact the same data but instead of AWS_SECRET_ACCESS_KEY=* , the entire string will be replaced with *.

Errors

If one of the regular expressions is not valid, SLS treats is as a fatal error and doesn't start. It includes the regex that failed to compile and the corresponding error message.

Here's an example error message:

Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917)
...
2020-07-29T16:36:18.322Z INFO component="flight-recorder" initializing...
panic: flrec: invalid redaction regex `(?:*--password=(.*)|AWS_SECRET_ACCESS_KEY=(.*))` -- error parsing regexp: missing argument to repetition operator: '*'