Filters: Introduce Redaction Field Filter #2241
Assignees
Labels
area/filters
area/userspace
Related to userspace Tetragon logic
kind/enhancement
This improves or streamlines existing functionality
Comments
willfindlay
added
kind/enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Tetragon events can leak sensitive data such as secrets stored environment variables, passed as command line arguments, or accessed by traced functions/system calls. In production environments, it may be desirable to redact sensitive information so that it does not appear in the event logs. While field filters are sometimes an option, it is not always desirable to completely drop a field, as we may still wish to access some relevant subset of the information therein. Therefore, we need to achieve some middle ground here.
To do this, we can introduce a new filter type, the redaction filter. A redaction filter works like a field filter, except instead of completely dropping the field, it redacts a subset of information, which could be selected by a regular expression for example. In order to enable precise selection of information to be redacted, I would propose using regex capture groups to indicate which parts of the matched string should be redacted.
I imagine the filter syntax looking something like this:
{ "match": { "event_set": ["PROCESS_EXEC"] }, "redact": [ {"field": "args", "regex": "--password\\s+(\\S+)"} ] }The above filter would match substrings in the
argsfield ofPROCESS_EXECevents that look like--password foobarand replace the capture groups of the regular expression with*****, effectively redacting the sensitive information.The text was updated successfully, but these errors were encountered: