Redaction

Redacting Sensitive Information

Redacting Sensitive Information

Production environments contain sensitive information (passwords, private keys, etc). The Replicated Troubleshoot tool can scrub sensitive information from a support bundle during collection, to reduce the chance of this being shared. It’s important to consider if there will be sensitive data included in a custom collector, and if so, adding redaction. In other situations, default collectors may themselves include sensitive data, such as environment variables provided to a Docker container. This can be handled by applying a redactor to all files within a bundle.

It’s also recommended to treat all support bundles as sensitive, because secrets could be included in a log file or in other unexpected places.

Redacting the output of a single collector

If you know a collector will normally contain sensitive data, you can include a scrub regex within that collector spec. For example, if you know that a config file copied from an application container may include a password in the form DB_PASSWORD=hunter2, a scrubber for that spec would be recommended.

That could look like this:

collect:
  v1:
    - docker.container-cp:
        description: the supergoodtool configuration file
        container: supergoodtool-main
        src_path: /etc/default/supergoodtool.conf
        output_dir: /app/main/
        scrub:
          regex: (DB_PASSWORD ?=)(.*)
          replace: ${1}=REDACTED

Then, when copying the file, hunter2 would be replaced with REDACTED.

Redacting the output of all collectors

Sometimes, it’s easiest to redact every collector without considering whether the redaction is relevant for the collector in question. Or you may need to redact the output produced by collectors you do not control - for example, the default support bundle specs. For those situations, meta.redact can provide the solution.

meta.redact is functionally equivalent to adding every specified scrubbing regex to every collector spec. This means that the below set of specs will have the same file output as from the example before.

collect:
  v1:
    - docker.container-cp:
        description: the supergoodtool configuration file
        container: supergoodtool-main
        src_path: /etc/default/supergoodtool.conf
        output_dir: /app/main/
    - meta.redact:
        scrubs:
          - regex: (DB_PASSWORD ?=)(.*)
            replace: ${1}=REDACTED
        output_dir: redact/