backports/willfindlay/1.0/redaction filters #2267
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
willfindlay
added
kind/backport
mtardy
approved these changes
Apr 2, 2024
[upstream commit 69a4743] Implement a new field filter type, the refaction filter. Redaction filters use regular expressions to suppress sensitive information in string fields in Tetragon events. When a regular expression in a redcation filter matches a string, everything inside of its capture groups is replaced with `*****`, effectively censoring the output. For example, the regular expression `(?:--password|-p)(?:\s+|=)(\S*)` will convert the string "--password=foo" into "--password=*****". In some cases, it is not desirable to apply a redaction filter to all events. For this use case, redaction filters also include an event filter which can be used to select events to redact. This event filter is configured with the same syntax as an export filter. As a more concrete example: {"match": {"binary_regex": ["^foo$"]}, "redact": ["\W(qux)\W"]} The above filter would redact any occurrences of the word "qux" in events with the binary name "foo". Due to the sensitive nature of redaction, these filters are applied as configured in the agent, regardless of whether an event is exported via gRPC or the JSON exporter. In other words, redaction filter configuration always happens at the agent config level, not in the gRPC client CLI. Signed-off-by: William Findlay <[email protected]>
willfindlay
force-pushed
the
backports/willfindlay/1.0/redaction-filters
branch
from
2f50359 to
e50a699
Compare
For the generated files, it was actually user error. I forgot to generate the docs for CLI flags. I think it makes sense to disable links checker here though. For now let's ignore it. |
|
Shipping it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[upstream commit 69a4743]
Implement a new field filter type, the refaction filter. Redaction filters use regular expressions to suppress sensitive information in string fields in Tetragon events. When a regular expression in a redcation filter matches a string, everything inside of its capture groups is replaced with
*****, effectively censoring the output. For example, the regular expression(?:--password|-p)(?:\s+|=)(\S*)will convert the string "--password=foo" into "--password=*****".In some cases, it is not desirable to apply a redaction filter to all events. For this use case, redaction filters also include an event filter which can be used to select events to redact. This event filter is configured with the same syntax as an export filter. As a more concrete example:
The above filter would redact any occurrences of the word "qux" in events with the binary name "foo".
Due to the sensitive nature of redaction, these filters are applied as configured in the agent, regardless of whether an event is exported via gRPC or the JSON exporter. In other words, redaction filter configuration always happens at the agent config level, not in the gRPC client CLI.