×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Helix Discovery ... Using Configuring discovery

Masking sensitive data

The View Object page of a discovered process shows the command used to start the process. In some cases, a user name and password, or some other sensitive data, is shown in clear text. You can also view the contents of a discovered file, and in some cases these, too, can contain passwords or other sensitive data. You can prevent this issue by using sensitive data filters.

Related topics

Configuring discovery

Sensitive data filters for processes mask information only from the discovered process or file; not from, for example, package names.

A sensitive data filter is a regular expression to define data that you do not want displayed. When matched, the sensitive portion of the data is replaced by the text SensitiveValue

Managing sensitive data filters

  1. From the main menu, click the Administration icon. The Administration page displays.  
  2. From the Discovery section, click Sensitive Data Filters
    The Sensitive Data Filters window is displayed with the Processes tab visible.
  3. To view or edit filters for files, click the Files tab.
    • To edit an existing filter, click Edit.
    • To delete an existing filter, click Delete.
    • To add a new filter, click Add. A new field is added, into which you can enter a regular expression.
    • To create the filter, click Apply.
    • To reorder sensitive data filters, click the up or down arrow in the ordering column for the filter you want to move.
      You can also move a filter to the top or bottom of the list using the top or bottom arrow buttons.

Creating a sensitive data filter

A regular expression will usually match more than just sensitive data, including, for instance, an identifying argument name such as -password. The portion of data to be hashed must be enclosed in brackets to form a regular expression group. Portions of the regular expression not enclosed in brackets are not modified.

  1. The following command has the --password in clear text. The regular expression needs --password to locate the data and define how much to mask around it.

    ./pfg_serv -h -Hj -g lob -l full --user gussie --password finknottle --dominion emea
  2. This regular expression adds \S+ to identify a sequence of one or more non-whitespace characters, making a regular expression of --password \S+. Brackets are then added to define the portion that requires masking, making --password (\S+).

  3. After rediscovery, the new process node will have the password portion replaced with the text SensitiveValue.

    ./pfg_serv -h -Hj -g lob -l full --user gussie 
          --password SensitiveValue --dominion emea
  4. For more resilience against extra white space, replace the single space in the regular expression \s+, which matches any whitespace character, making --password\s+(\S+), which is the form that most sensitive data filters take.

Notes on sensitive data filters

  1. When writing regular expressions for sensitive data filters, ensure that they do not match too much of the command. If the filter masks some of the command that a pattern uses to identify a piece of running software, that pattern will then be unable to identify the software. For more information, see Improving the performance of regular expressions.
  2. The filters are not applied to the inferred data model until you perform a discovery run. Sensitive data discovered before applying a filter remains in the history and DDD until it is aged.
  3. If sensitive data filters are applied to files, the files must remain valid. For example, if a sensitive data filter is applied to an XML file, the XML must remain valid; otherwise, Xpath processing will not work.

Upgrading to BMC Helix Discovery version 23.1

BMC Helix Discovery version 23.1 contains new default sensitive data filters. The filters however, are only available in new installations, not upgraded systems. If you have upgraded to version 23.1, you can add the following filter regexes to obtain the same sensitive data filters as a new installation.

For processes (the Processes tab):

  • (?i)password\.file=(\S+)\b
  • (?i)password\s(\S+)\b
  • (?i)passwordfileurl=(file://\S+)\b
  • (?i)ssl_keystore_password\s(\S+)\b
  • (?i)putty(?:ng)?\.exe.*-pw\s+(\S+)
  • (?i)plink\.exe.*-pw\s+(\S+)
  • --system-passwd\s+(\S+)
  • -Dcom.sun.management.jmxremote.password.file=(\S+)
  • -o UserKnown.* -l (\S+)
  • -p -h .* -- (\S+)

For files (the Files tab):

  • (?i)PasswordProd"\svalue\="([^"]+)"
  • (?i)password>([^<]+)<
  • (?i)password-encrypted>([^<]+)<
  • (?i)Pwd" value="([^"]+)" />
  • keystorePass\=(\S+)
  • (?i)pwd=([^"]+)"
  • client_keypw_cmd=(\S+)
  • client_keypw_file=(\S+)
  • (?i)pass-phrase-encrypted>([^<]+)<
  • Notification\.Password" value="([^"]+)"/>
  • (?i)Password"?\svalue\="([^"]+)"
  • (?i)passwd=(\S+)
  • key="EncryptKey"\svalue="([^"]+)"
  • (?i)password</param-name>[\s\t\n]+<param-value>([^<]+)<
Was this page helpful? Yes No Submitting... Thank you
Last modified by Duncan Tweed on Dec 20, 2022
sensitive_data masking data_filter

Comments

  1. Franã§ois Sutre

    Hello, Which kind of regular expressions are used for code these filters : PHP, Golang, Python, Javascript ? Regards, François SUTRE

    Nov 30, 2020 08:02
  2. Andrew Waters

    Filters are written using Python regular expressions.

    Nov 30, 2020 09:26

Log in or register to comment.

Configuring discovery settings
Managing the discovery platform scripts
© Copyright 2004 - 2023 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.