Redaction
It’s often required to redact sensitive information from a support bundle before delivering it for analysis. Redactors can be specified for an individual collector or for every collector at once.
Redacting a single collector
Redacting a basic string from a file:
collect:
v1:
- docker.container-cp:
description: the supergoodtool configuration file
container: supergoodtool-main
src_path: /etc/default/supergoodtool.conf
output_dir: /app/main/
scrub:
regex: (DB_PASSWORD ?=)(.*)
replace: ${1}=REDACTED
In some situations it may be worthwhile to ensure that the redacted output remains valid yaml. To do this, we can make sure to capture - and include again in our output - all of the characters surrounding the password, replacing only the password itself.
collect:
v1:
- docker.container-inspect:
description: the supergoodtool docker container information
container: supergoodtool-main
output_dir: /app/main/
scrub:
regex: >-
(?i)(password["',=]+)[^"',]+(["',]*)
replace: ${1}REDACTED${2}
In this example, we’re using a couple more advanced features.
First, (?i)
at the beginning of the regex sets case-insensitive mode.
We’re also using yaml’s multiline string formatting to avoid having to escape quotes or other special characters.
It’s also far easier to develop a regular expression by experimenting with various inputs and outputs - regex101 can be used to develop the matching string and The Go Playground is useful to validate that the entire replace sequence worked as expected.
Redacting all collectors
Including a meta.redact
collector will cause the specified scrubs
to be applied across every support bundle resource.
collect:
v1:
- meta.redact:
scrubs:
- regex: (DB_PASSWORD ?=)(.*)
replace: ${1}=REDACTED
- regex: (APP_PASSWORD ?=)(.*)
replace: ${1}=REDACTED
output_dir: redact/