owasp-security-logging
owasp-security-logging copied to clipboard
augustd
Versatile masking
I looked at this https://github.com/javabeanz/owasp-security-logging/wiki/Masking However that is very limited and requires logging statements to be written in a very specific way.
I have created this regex based Logback converter. https://gist.github.com/rahulaga/8bd7ca7b521a7858e86c0a51fffe3f03
Configure it as such
<conversionRule conversionWord="maskedMsg" converterClass="MaskingConverter" /> <property name="CONSOLE_LOG_PATTERN" value="%mdc{TID} %date %-5level [%thread] %logger{0} - %maskedMsg{ password|token, username, apiKey, email }%n" />
I think it would be useful for the community and something anyone could easily drop in.
@rahulaga This looks very cool. I'd be concerned about the execution speed of doing pattern matching on every log statement in high performance environments, but I would love to add this as an option.
Will you send a pull request?
Where does the option list come from? Is it possible to define custom regexes in configuration?
I could see easily matching on an email address, credit card, SSN, etc, but if a password ~~can~~ should contain any character set how will you match on it without masking everything?
Thanks, sure, I can look into a pull. The options list comes from the pattern provided in the config. I have 4 preset types of masking: CompleteMask, MaskExceptFirstFour, MaskAllButLastFour,EmailMasking. You could certainly expand on that options to send include regexs in config too. Performance wise the regexs are precompiled on init. I think masking benefit and flexibility maybe a tradeoff to consider in your situation.
Submitted pull for your reference https://github.com/javabeanz/owasp-security-logging/pull/15
Thanks for your contribution, Rahulaga. Next step is making the docuemtnation match the new functionality.
