How do I filter events on the agent side?

Follow

In order to prevent sensitive data from being sent to the Threat Stack back-end, it is sometimes necessary to filter events on the Threat Stack agent side. In order to do this, the agent uses Lua filtering so that customers can provide custom filtering parameters that fit their needs.

LuaJIT filtering

For more flexible filtering LuaJIT has been embedded and easily utilized. The global filter script is located in: /opt/threatstack/etc/tsauditd.lua

The function tsaudit_filter must always be present and only accepts one argument. This argument is native Lua array of tables. The agent will call this filter prior to any logging and has several return values of which can change the way an event is treated or displayed.

Lua Configuration

In order to configure the tsaudit.lua file to filter an argument as part of a command use the following as a guide.

Within the tsaudit.lua file you will need to uncomment and configure the 'policy object' section as well as uncomment the last section to enable the filter.

The agent must be restarted after the tsaudit.lua file is modified.

This example will filter the password argument, '-ppassword12345', with 'REDACTED' from the following simple mysql command, $mysql -h mysql.server.com -u admin -ppassword12345

Policy Object:

 -- This policy object is what stores the logic for the redacting
 -- process. It is meant to be passed along with the process information into
 -- filter_process_fields.
 policy = {
--      -- This first part is meant to be the flags to check on
--      -- for redaction. It's a list of objects, where each object
--      -- entry is a container for specific key value pairs to check on
--      -- in the process entry. Each object is a logical "and" unit, where
--      -- all key values pairs must be true for it to be considered a hit.
--      -- To add a logical "or" unit, simply add another object. For example,
--      -- below, we have two constraint objects. The first states that the
--      -- command can be 'mysql' or the exe be 'mysql' for the constraint.

 

      [1] = {
            [1] = {
                -- LOGICAL AND
                 comm = 'mysql'
            },
                -- LOGICAL OR
            [2] = {
                 exe = '/usr/bin/mysql'
            }
      },
--      -- This second part is meant to be the keywords to redact on. For
--      -- each process that is flagged by the first part of the policy,
--      -- we look for these keywords in the arguments of the process,
--      -- and set them to REDACTED.
      [2] = {
            '-ppassword12345'
      }
 }

Enable redaction:

     -- ** Enabling argument redaction **
     -- To enable, simply have a variable store the output of the filtered object
     -- Then check if it's nil.
     -- If nil, then don't do anything -- nothing was redacted
     -- If not nil, then return it, and it will overwrite it to the server
     redactedData = filter_process_fields(data, policy1)
     redactedData = filter_process_fields(data, policy2)
     if redactedData ~= nil then
         return redactedData
     end

NOTE: The agent must be restarted for this change to take effect.

 

 

 

Lua files do get overwritten during the upgrade of an agent. Please ensure that your package manager is setup to write the Lua script after an upgrade. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.