Sensitive data obfuscation
As any application monitoring system, the data collected by groundcover is by nature sensitive and contains payloads of full requests and queries. Raw traces can go a long way in a troubleshooting process, but you can choose to obfuscate their payload.
Configuration
Obfuscation is granularly defined separately for each protocol, using the following names:
httphandler
grpchandler
redishandler
sqlhandler
This applies both for MySQL and PostgreSQL
mongodbhandler
amqphandler
Data obfuscation can be configured in two ways: key-value and unstructured.
Key-Value obfuscation
This method will automatically identify key-value structures such as JSON and query params, and for those it will perform obfuscation based on a defined set of keys.
The configuration consists of the following fields:
enabled
- turns this obfuscator on and off. Default: falsemode
- What should be done with values matching the specified keys. Possible modes are:KeepSpecificValues
- Obfuscate all values except for keys specified inspecificKeys
ObfuscateSpecificValues
- Keep all values and obfuscate only values for keys specified inspecificKeys
caseSensitive
- are the keys case sensitive. Default: FalsespecificKeys
- a list of comma separated strings. Example:specificKeys: ["keep-me", "keep-me-too"]
Below is an example of using the key-value configuration with different settings:
agent:
sensor:
httphandler:
obfuscationConfig:
keyValueConfig:
enabled: true
mode: "KeepSpecificValues"
specificKeys: ["keep-me"]
mongodbhandler:
obfuscationConfig:
keyValueConfig:
enabled: true
mode: "ObfuscateSpecificValues"
caseSensitive: true # keys will be case sensitive
specificKeys: ["obfuscate-me"]
Unstructured obfuscation
This method will obfucsate "free text" without any predefined rules. It is meant as a way to make sure all data is obfuscated regardless of its contents.
The configuration exists of the following fields:
Enabled
- Turns this obfuscator on and off. Default: false
Below is an example of turning on the unstructured obfuscator:
agent:
sensor:
httphandler:
obfuscationConfig:
unstructuredConfig:
enabled: true
Combining the obfuscators
It's perfectly fine to use both the key-value and unstructured obfuscators together! When this is set, the key-value method will be executed first, and only if the structure isn't key-value, it will proceed to the unstructured method.
For example, let's look at a configuration for turning both obfuscators on:
agent:
sensor:
httphandler:
obfuscationConfig:
keyValueConfig:
enabled: true
mode: "ObfuscateSpecificValues"
specificKeys: ["key"]
unstructuredConfig:
enabled: true
Obfuscation Examples
JSON,
{"key": "value"}
{"key": "?"}
JSON with array,
{"key": [1,2,3]}
{"key": ["?", "?", "?"]}
JSON with nested keys,
{"root": {"sub": {"key": "value"}}}
{"root": {"sub": {"key": "?"}}}
key=value
maps:key=?
Plain text
plain text
:p**** ****
Truncated data: if data has been truncated, it will not be obfuscated and will show scrubbed
as the data. You can change the truncation size limits if you need to.
Want to change your data truncation size limits? Contact us on slack.
Using CLI on New or Existing Installation
After you prepared your desired values.yaml
, apply them using:
groundcover deploy --values values.yaml
Using Helm on New Installation
helm upgrade \
groundcover \
groundcover/groundcover \
-n groundcover \
-i \
--set global.groundcover_token=<api-key>,clusterId=my_cluster
--values values.yaml
Using Helm on Existing Installation
helm upgrade \
groundcover \
groundcover/groundcover \
-n groundcover \
--reuse-values \
--values values.yaml
Sensitive headers obfuscation
groundcover will obfuscate sensitive HTTP and gRPC headers by default so that they are not shown in traces. This behavior is customizable using the same key value config as above.
The default values for the headers obfuscation are:
agent:
sensor:
sensitiveHeadersObfuscationConfig:
enabled: true
mode: "ObfuscateSpecificValues"
specificKeys: ["Authorization", "Proxy-Authorization", "X-Amz-Security-Token", "X-Amz-Credential"]
According to the HTTP RFC, headers are case insensitive by nature. Because of that, the headers obfuscation will always be case insensitive and can't be configured otherwise.
Last updated