Skip to content

Alert program argument redaction

When an alert is triggered, it may contain sensitive information that is being passed via process arguments. For example, passwords via mysql -p=apassword or docker containers started with docker run -e AWS_SECRET_ACCESS_KEY=asecretkey. To prevent that, Sophos Linux Sensor (SLS) offers a way to provide regular expressions for information you would like redacted from program arguments.

This guide covers basic usage and offer some example use cases. See the Go Regular Expressions package documentation for a complete overview of supported regular expression syntax.

Alert program argument redaction examples

Program argument redactions apply to all output sources and can be easily turned on using:

alert_output:
  redaction_regexs:
    - "--password=(.*)"
    - "AWS_SECRET_ACCESS_KEY=(.*)"
  outputs:
    - type: stdout
      enabled: true

This example takes the use case above of mysql passwords, and AWS secret keys and changes the alert such that --password=apassword and AWS_SECRET_ACCESS_KEY=asecretkey become --password=********** and AWS_SECRET_ACCESS_KEY=********** respectively.

It's worth noting, the sensor uses regular expression capture groups in order to preserve as much data as possible but if you wanted instead to wipe the entire AWS_SECRET_ACCESS_KEY=asecretkey, you could instead use:

alert_output:
  redaction_regexs:
    - "--password=(.*)"
    - "AWS_SECRET_ACCESS_KEY=.*"
  outputs:
    - type: stdout
      enabled: true

Which would transform the example alerts from--password=apassword and AWS_SECRET_ACCESS_KEY=asecretkey to --password=********** and ********** respectively.

Alert program argument redaction errors

If one of the regular expressions are not valid, SLS treats it as a fatal error and doesn't start. It will include the regex that failed to compile and the corresponding error message.

Sophos Linux Runtime Detections Agent version 5.0.0.28 (Build: 1917)
INFO[0000] fetching metadata                            
INFO[0000] fetched metadata 
...                            
INFO[0002] Starting Embedded Analytics                  
FATA[0002] Unable to start analytics: Invalid Redaction Regex `AWS_ACCESS_KEY=(.**)` -- error parsing regexp: invalid nested