Alert program argument redaction
When an alert is triggered, it may contain sensitive information that is being passed via process arguments. For example, passwords via
mysql -p=apassword or docker containers started with
docker run -e AWS_SECRET_ACCESS_KEY=asecretkey. To prevent that, Sophos Linux Sensor (SLS) offers a way to provide regular expressions for information you would like redacted from program arguments.
This guide covers basic usage and offer some example use cases. See the Go Regular Expressions package documentation for a complete overview of supported regular expression syntax.
Alert program argument redaction examples
Program argument redactions apply to all output sources and can be easily turned on using:
alert_output: redaction_regexs: - "--password=(.*)" - "AWS_SECRET_ACCESS_KEY=(.*)" outputs: - type: stdout enabled: true
This example takes the use case above of mysql passwords, and AWS secret keys and changes the alert such that
It's worth noting, the sensor uses regular expression capture groups in order to preserve as much data as possible but if you wanted instead to wipe the entire
AWS_SECRET_ACCESS_KEY=asecretkey, you could instead use:
alert_output: redaction_regexs: - "--password=(.*)" - "AWS_SECRET_ACCESS_KEY=.*" outputs: - type: stdout enabled: true
Which would transform the example alerts from
Alert program argument redaction errors
If one of the regular expressions are not valid, SLS treats it as a fatal error and doesn't start. It will include the regex that failed to compile and the corresponding error message.
Sophos Linux Runtime Detections Agent version 126.96.36.199 (Build: 1917) INFO fetching metadata INFO fetched metadata ... INFO Starting Embedded Analytics FATA Unable to start analytics: Invalid Redaction Regex `AWS_ACCESS_KEY=(.**)` -- error parsing regexp: invalid nested