Masking sensitive data
Sensitive data filters for processes mask information only from the discovered process or file; not from, for example, package names.
A sensitive data filter is a regular expression to define data that you do not want displayed. When matched, the sensitive portion of the data is replaced by the text SensitiveValue.
Managing sensitive data filters
- From the main menu, click the Administration icon. The Administration page displays.
- From the Discovery section, click Sensitive Data Filters.
The Sensitive Data Filters window is displayed with the Processes tab visible. - To view or edit filters for files, click the Files tab.
- To edit an existing filter, click Edit.
- To delete an existing filter, click Delete.
- To add a new filter, click Add. A new field is added, into which you can enter a regular expression.
- To create the filter, click Apply.
- To reorder sensitive data filters, click the up or down arrow in the ordering column for the filter you want to move.
You can also move a filter to the top or bottom of the list using the top or bottom arrow buttons.
Creating a sensitive data filter
A regular expression will usually match more than just sensitive data, including, for instance, an identifying argument name such as -password. The portion of data to be hashed must be enclosed in brackets to form a regular expression group. Portions of the regular expression not enclosed in brackets are not modified.
The following command has the --password in clear text. The regular expression needs --password to locate the data and define how much to mask around it.
./pfg_serv -h -Hj -g lob -l full --user gussie --password finknottle --dominion emea- This regular expression adds \S+ to identify a sequence of one or more non-whitespace characters, making a regular expression of --password \S+. Brackets are then added to define the portion that requires masking, making --password (\S+).
After rediscovery, the new process node will have the password portion replaced with the text SensitiveValue.
./pfg_serv -h -Hj -g lob -l full --user gussie
--password SensitiveValue --dominion emea- For more resilience against extra white space, replace the single space in the regular expression \s+, which matches any whitespace character, making --password\s+(\S+), which is the form that most sensitive data filters take.
Notes on sensitive data filters
- When writing regular expressions for sensitive data filters, ensure that they do not match too much of the command. If the filter masks some of the command that a pattern uses to identify a piece of running software, that pattern will then be unable to identify the software. For more information, see Improving-the-performance-of-regular-expressions.
- The filters are not applied to the inferred data model until you perform a discovery run. Sensitive data discovered before applying a filter remains in the history and DDD until it is aged.
- If sensitive data filters are applied to files, the files must remain valid. For example, if a sensitive data filter is applied to an XML file, the XML must remain valid; otherwise, Xpath processing will not work.