Sensitive data obfuscation
As any application monitoring system, the data collected by groundcover is by nature sensitive and contains payloads of full requests and queries. Raw traces can go a long way in a troubleshooting process, but you can choose to obfuscate their payload.
By default groundcover does not obfuscate payloads. However, it will obfuscate sensitive HTTP and gRPC headers - see below for more information.
Configuration
Obfuscation is granularly defined separately for each protocol, using the following names:
httphandler
grpchandler
redishandler
sqlhandler
This applies both for MySQL and PostgreSQL
mongodbhandler
amqphandler
Data obfuscation can be configured in two ways: key-value and unstructured.
Key-Value obfuscation
This method will automatically identify key-value structures such as JSON and query params, and for those it will perform obfuscation based on a defined set of keys.
The configuration consists of the following fields:
enabled
- turns this obfuscator on and off. Default: falsemode
- What should be done with values matching the specified keys. Possible modes are:KeepSpecificValues
- Obfuscate all values except for keys specified inspecificKeys
ObfuscateSpecificValues
- Keep all values and obfuscate only values for keys specified inspecificKeys
caseSensitive
- are the keys case sensitive. Default: FalsespecificKeys
- a list of comma separated strings. Example:
If mode is not specified, the default behavior of this obfuscator is to obfuscate all keys, equivalent to:
mode:
KeepSpecificValues
specificKeys: []
Obfuscation for nested JSON structures is based on the inner keys within the nested JSON objects. An example can be found at Obfuscation Examples
Below is an example of using the key-value configuration with different settings:
Unstructured obfuscation
This method will obfucsate "free text" without any predefined rules. It is meant as a way to make sure all data is obfuscated regardless of its contents.
The configuration exists of the following fields:
Enabled
- Turns this obfuscator on and off. Default: false
Below is an example of turning on the unstructured obfuscator:
Combining the obfuscators
It's perfectly fine to use both the key-value and unstructured obfuscators together! When this is set, the key-value method will be executed first, and only if the structure isn't key-value, it will proceed to the unstructured method.
For example, let's look at a configuration for turning both obfuscators on:
Obfuscation Examples
JSON,
{"key": "value"}
{"key": "?"}
JSON with array,
{"key": [1,2,3]}
{"key": ["?", "?", "?"]}
JSON with nested keys,
{"root": {"sub": {"key": "value"}}}
{"root": {"sub": {"key": "?"}}}
key=value
maps:key=?
Plain text
plain text
:p**** ****
Truncated data: if data has been truncated, it will not be obfuscated and will show scrubbed
as the data. You can change the truncation size limits if you need to.
Want to change your data truncation size limits? Contact us on slack.
Using CLI on New or Existing Installation
After you prepared your desired values.yaml
, apply them using:
Using Helm on New Installation
Using Helm on Existing Installation
Sensitive headers obfuscation
groundcover will obfuscate sensitive HTTP and gRPC headers by default so that they are not shown in traces. This behavior is customizable using the same key value config as above.
The default values for the headers obfuscation are:
According to the HTTP RFC, headers are case insensitive by nature. Because of that, the headers obfuscation will always be case insensitive and can't be configured otherwise.
Last updated