Skip to content

Commit 8b4eaf6

Browse files
olsajiriolsajiri
committed
tetragon: Add docs for environment variables redaction
Adding docs for environment variables redaction. Signed-off-by: Jiri Olsa <[email protected]>
1 parent c85f617 commit 8b4eaf6

File tree

1 file changed

+13
-4
lines changed

1 file changed

+13
-4
lines changed

docs/content/en/docs/concepts/events.md

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -223,9 +223,9 @@ Since Tetragon traces the entire system, event exports might sometimes contain
223223
sensitive information (for example, a secret passed via a command line argument
224224
to a process). To prevent this information from being exfiltrated via Tetragon
225225
JSON export, Tetragon provides a mechanism called Redaction Filters which can be
226-
used to string patterns to redact from exported process arguments. These filters are written
227-
in JSON and passed to the Tetragon agent via the `--redaction-filters` command
228-
line flag or the `redactionFilters` Helm value.
226+
used to string patterns to redact from exported process arguments and environment
227+
variables. These filters are written in JSON and passed to the Tetragon agent via
228+
the `--redaction-filters` command line flag or the `redactionFilters` Helm value.
229229

230230
To perform redactions, redaction filters define RE2 regular expressions in the
231231
`redact` field. Any capture groups in these RE2 regular expressions are redacted and
@@ -243,7 +243,7 @@ characters. For instance `\Wpasswd\W?` would be written as `{"redact": "\\Wpassw
243243
{{< /warning >}}
244244

245245
For more control, you can select which binary or binaries should have their
246-
arguments redacted with the `binary_regex` field.
246+
arguments or environment variables redacted with the `binary_regex` field.
247247

248248
As a concrete example, the following will redact all passwords passed to
249249
processes with the `"--password"` argument:
@@ -265,6 +265,15 @@ We can also redact these as follows:
265265
With both of the above redaction filters in place, we are now redacting all
266266
password arguments.
267267

268+
Another example is to redact `SSHPASS` environment variable with:
269+
270+
```json
271+
{"redact": ["(?:SSHPASS=)+(\\S+)"]}
272+
```
273+
274+
Now, an event that contains the string `"SSHPASS=password"` would have that string
275+
replaced with `"SSHPASS=*****"`.
276+
268277
### `tetra` CLI
269278

270279
A second way is to use the [`tetra`](https://github.com/cilium/tetragon/tree/main/cmd/tetra) CLI. This

0 commit comments

Comments
 (0)