x-pack/filebeat/input/cel: make redact configuration recommended #36008
Conversation
efd6
added
enhancement
Filebeat
botelastic
bot
added
the
needs_team
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
This pull request doesn't have a |
efd6
force-pushed
the
cel-redact-recommended
branch
from
62b1fa2 to
b2488a0
Compare
x-pack/filebeat/input/cel/config.go
Outdated
| @@ -65,6 +66,10 @@ type redact struct { | |||
| } | |||
|
|
|||
| func (c config) Validate() error { | |||
| if c.Redact == nil { | |||
| logp.L().Named("input.cel").Warn("missing recommended 'redact' configuration: " + | |||
| "see documentation for details: https://www.elastic.co/guide/en/beats/filebeat/8.9/filebeat-input-cel.html#_redact_fields") | |||
There was a problem hiding this comment.
The link here is to 8.9 because the docs currently list "current" as 8.8.
There was a problem hiding this comment.
When this is released "current" will point to 8.9 so I think it would be safe to use it here.
There was a problem hiding this comment.
True. In that case I'll change to _redact rather than _redact_fields, since that will have the actual claims.
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
This comment was marked as outdated.
This comment was marked as outdated.
efd6
force-pushed
the
cel-redact-recommended
branch
from
b2488a0 to
5504cc2
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
Ideally this would be a hard requirement, but that would be a breaking change, so just log at WARN if the configuration is missing.
efd6
force-pushed
the
cel-redact-recommended
branch
from
5504cc2 to
5e2fe86
Compare
x-pack/filebeat/input/cel/config.go
Outdated
| @@ -65,6 +66,10 @@ type redact struct { | |||
| } | |||
|
|
|||
| func (c config) Validate() error { | |||
| if c.Redact == nil { | |||
| logp.L().Named("input.cel").Warn("missing recommended 'redact' configuration: " + | |||
| "see documentation for details: https://www.elastic.co/guide/en/beats/filebeat/8.9/filebeat-input-cel.html#_redact_fields") | |||
There was a problem hiding this comment.
When this is released "current" will point to 8.9 so I think it would be safe to use it here.
) Ideally this would be a hard requirement, but that would be a breaking change, so just log at WARN if the configuration is missing. (cherry picked from commit ae923ba)
) (#36046) Ideally this would be a hard requirement, but that would be a breaking change, so just log at WARN if the configuration is missing. (cherry picked from commit ae923ba) Co-authored-by: Dan Kortschak <[email protected]>
…stic#36008) Ideally this would be a hard requirement, but that would be a breaking change, so just log at WARN if the configuration is missing.
What does this PR do?
This detects when a user has not configured the redact options in the CEL input for filebeat and logs it as missing with a link to the documentation.
Ideally this would be a hard requirement, but that would be a breaking change, so just log at WARN if the configuration is missing.
Why is it important?
By design the CEL input can log the entire input state and its evaluation during debug logging. This may leak secrets, so we provide an option to allow users to specify fields that are sensitive to be redacted or deleted. If the user is not aware of this behaviour or the option to redact they may put themselves at risk. The change here it designed to help them identify this risk.
Backported to 8.9 despite being an enhancement because of risk.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs