Hiding sensitive information with an App Visibility confidentiality policy file

As a security officer working with TrueSight App Visibility Manager, you can define a confidentiality policy to prevent sensitive code-level diagnostics information from leaving the monitored server computer. The confidentiality policy ensures that sensitive information contained in specified methods does not reach the network and is not displayed. With the policy, you can identify methods with confidential information and the hiding mode for the methods.

While processing your application code information, an App Visibility agent matches the confidentiality rules according to their order in the policy. When a match is found, the specified hiding mode is applied and subsequent rules are ignored.

If no match is found, or if no rules are present, no information is hidden.

The following information and procedures enable you to hide sensitive information:

Related topics

Managing App Visibility policy files

Modifying an App Visibility agent policy file to collect and monitor application information

Identifying methods and specifying the hiding mode in confidentiality rules

A confidentiality policy consists of a list of rules, each of which has a hiding mode, and a unique identifier that specifies one or more methods.

For each rule, you specify a rule name, a hiding mode, and one or more method identifiers.

Specifying a hiding mode

A confidentiality policy rule includes a hiding mode, which is the value of the hide parameter in the rule. Use one of the following values to determine the hiding mode:

Hiding CALLS removes the entire method call or calls from all code-level diagnostics, including the method names and the details.
Hiding DETAILS removes the method parameters, return values, and other extracted information. The method call or calls are still displayed in the code-level diagnostics.

With either hiding method, confidential information is not displayed in errors or exceptions if a stack trace is recorded.

Identifying one or more methods

When you create or edit a confidentiality policy rule, you must identify the code you want to be concealed. If your application code matches the identifier value or values, the rule is applied.

To identify the method or methods, specify one or more of the following parameter values:

(Agent for .NET, only) module. Module name
class, Class name
method, Method name

Alternatively, for the App Visibility agent for Java, you can use a recording rule ID (recordingRuleId) to specify a method or methods. For details about accessing recording rule IDs, contact Customer Support.

The parameter values can be an exact match or a prefix:

For an exact match, enter the full name of a class or method. The class name requires the fully qualified name that includes the package.
For a prefix, enter the prefix of one or more of the identifier names, followed by an asterisk (*).

Before you begin

To perform this procedure, you must have Application Administrator-level access.

To protect confidential data by adding or editing confidentiality policy rules

From the navigation pane of the TrueSight console, select Administration > App Visibility Agent Policies and click the Confidentiality Policies tab.
Click the action menu of the policy that you want to edit, and select Edit.
Tip
You cannot edit an out-of-the-box policy (displayed with a lock icon ), but you can create a copy of the policy and edit the copy:
1. From the action menu of the policy that you want to copy, select Save As.
2. On the Create App Visibility Agent Confidentiality Policy page, rename the policy and modify it according to your requirements.
On the Edit App Visibility Agent Confidentiality Policy page, modify the policy according to your requirements.
Policy editing rules
When you create or update confidentiality policy rules, adhere to the following principles:
- The order of the rules is important. Order the confidentiality rules so that more specific rules are listed before more general rules.
- Each rule name must be enclosed in angle brackets (for example, <rule_name>).
- Each line in the rule definition has only one property, in a property=value format.
- Rule names and property values are case sensitive.
- White spaces are ignored except within the value string (that is, between the first non-blank character after the "=" delimiter and the last non-blank character in the line).
- Both Windows and Linux line feed markers are supported.
- Hash marks (#) at the beginning of a line signify comments.
- Property values can only be ASCII characters within the range of 0-127.
For details, see Examples of rules in the confidentiality policy, later in this topic.
Click Save.
If necessary, apply the confidentiality policy to relevant agents, or set it as a default confidentiality policy.
For details, see Managing App Visibility policy files.

To ensure that confidential data is protected, you can also disable the functionality that shows the slowest database queries in the Application View because queries might contain information that you do not want to reveal. For instructions, see To protect confidential data by not showing database queries later in this topic.

Warning

If a confidentiality policy is invalid and cannot be processed, all calls to all methods in all classes and (for .NET applications) all modules are hidden as a security precaution. Likewise, code-level information is hidden for all entry points and exit points and they are displayed under the generic labels <entry point> and <exit point>.

If the confidentiality policy is invalid, an event is recorded in the health-events.csv file and in integrated systems. You can configure the display of the Warning on the Events page, as described in the Sending App Visibility health events to integrated systems topic.

Examples of rules in the confidentiality policy

The following examples present specific rules for a confidentiality policy. A policy can contain several rules and the order of the rules is important. Order confidentiality rules so that more specific rules are listed before more general rules.

Example: Hide methods, value prefix, .NET application

The following rule applies to an application monitored by an App Visibility agent for .NET. The rule removes methods that match the listed criteria:

Module name is MyLib.dll
Class name starts with com.mycompany.myrootpkg.myapp.secret.MySecretCl
Method name starts with doSecretly

<MyAppHidingRule1_wholeMethods>
     hide=CALLS
     module=MyLib.dll
     class=com.mycompany.myrootpkg.myapp.secret.MySecretCl*
     method=doSecretly*

Example: Hide method details, exact match, any application

The following rule removes details from all methods in the monitored application that match the com.mycompany.myrootpkg.myapp.somewhatsecret.MySomewhatSecretClass class name.

<MyAppHidingRule2_onlyValues>
     hide=DETAILS
     class=com.mycompany.myrootpkg.myapp.somewhatsecret.MySomewhatSecretClass

Example: Hide method details, recording rule, Java application

The following rule removes methods from an application monitored by as App Visibility agent for Java, according to those specified in the MyAppRecRule42 recording rule:

<MyAppHidingRule3_basedOnRecRule>
     hide=CALLS
     recordingRuleId=MyAppRecRule42

Special cases

When you use a confidentiality policy, consider the following situations:

Entry points and exit points. Entry points (transaction start methods) and exit points (calls to external systems) represent pivotal diagnostics information and the corresponding method calls are not completely removed. If a hide=CALLS rule matches an entry point or exit point method, the point is displayed under a generic label (<entry point> and <exit point>) and no details are included.
Exception messages. The App Visibility agent for .NET filters exceptions that report at the code level, but it cannot hide sensitive information that might be included in exception messages. Instead, you can completely turn off details for code-level exceptions in the general agent policy by ensuring that persisting.exception.stacktrace=false (the default value). The stack trace frames are filtered by the applied confidentiality rule, as they are for any other methods.
Parameter values. You can prevent the display of sensitive information that is recorded from HTTP parameters and headers. For details, see Concealing sensitive data recorded by the App Visibility agents.

To protect confidential data by not showing database queries

To ensure that confidential data is protected, you can disable the functionality that shows the slowest database queries in the Application View (see the "Examine the slowest database queries" section in Analyzing database problems with the Database tier), because queries might contain information that you do not want to reveal.
Use the following procedure to disable the slowest database queries:

On the App Visibility Agent Policies page, click the Agent Policies tab.
Click the action menu of the agent policy that is applied to the same agent as the confidentiality policy that you created:
- If it is a custom policy, select Edit.
- If it is an out-of-the-box policy (displayed with a lock icon), select Save As and edit the newly created copy.
At the end of the file, add the following line:
```
number.of.slowest.queries.to.report=0
```
Click Save.
If necessary, apply the agent policy to relevant agents, or set it as a default agent policy.