Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configuration option for HTTP request header redaction. #15353

Merged
merged 5 commits into from
Jan 8, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add dns.question.subdomain and dns.question.top_level_domain fields. {pull}14578[14578]
- Add support for mongodb opcode 2013 (OP_MSG). {issue}6191[6191] {pull}8594[8594]
- NFSv4: Always use opname `ILLEGAL` when failed to match request to a valid nfs operation. {pull}11503[11503]
- Added redact_headers configuration option, to allow HTTP request headers to be redacted whilst keeping the header field included in the beat. {pull}15353[15353]

*Winlogbeat*

Expand Down
5 changes: 5 additions & 0 deletions packetbeat/_meta/beat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,11 @@ packetbeat.protocols:
# all headers by setting this option to true. The default is false.
#send_all_headers: false

# A list of headers to redact if present in the HTTP request. This will keep
# the header field present, but will redact it's value to show the headers
# presence.
#redact_headers: []

# The list of content types for which Packetbeat includes the full HTTP
# payload. If the request's or response's Content-Type matches any on this
# list, the full body will be included under the request or response field.
Expand Down
6 changes: 6 additions & 0 deletions packetbeat/docs/packetbeat-options.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -682,6 +682,12 @@ headers are placed under the `headers` dictionary in the resulting JSON.
Instead of sending a white list of headers to Elasticsearch, you can
send all headers by setting this option to true. The default is false.

===== `redact_headers`

A list of headers to redact if present in the HTTP request. This will keep
the header field present, but will redact it's value to show the header's
presence.

===== `include_body_for`

The list of content types for which Packetbeat exports the full HTTP payload. The HTTP body is available under
Expand Down
5 changes: 5 additions & 0 deletions packetbeat/packetbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,11 @@ packetbeat.protocols:
# all headers by setting this option to true. The default is false.
#send_all_headers: false

# A list of headers to redact if present in the HTTP request. This will keep
# the header field present, but will redact it's value to show the headers
# presence.
#redact_headers: []

# The list of content types for which Packetbeat includes the full HTTP
# payload. If the request's or response's Content-Type matches any on this
# list, the full body will be included under the request or response field.
Expand Down
1 change: 1 addition & 0 deletions packetbeat/protos/http/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ type httpConfig struct {
RedactAuthorization bool `config:"redact_authorization"`
MaxMessageSize int `config:"max_message_size"`
DecodeBody bool `config:"decode_body"`
RedactHeaders []string `config:"redact_headers"`
}

var (
Expand Down
12 changes: 12 additions & 0 deletions packetbeat/protos/http/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ type httpPlugin struct {
splitCookie bool
hideKeywords []string
redactAuthorization bool
redactHeaders []string
maxMessageSize int
mustDecodeBody bool

Expand Down Expand Up @@ -147,6 +148,11 @@ func (http *httpPlugin) setFromConfig(config *httpConfig) {
http.transactionTimeout = config.TransactionTimeout
http.mustDecodeBody = config.DecodeBody

http.redactHeaders = make([]string, len(config.RedactHeaders))
for i, header := range config.RedactHeaders {
http.redactHeaders[i] = strings.ToLower(header)
}

for _, list := range [][]string{config.IncludeBodyFor, config.IncludeRequestBodyFor} {
http.parserConfig.includeRequestBodyFor = append(http.parserConfig.includeRequestBodyFor, list...)
}
Expand Down Expand Up @@ -725,6 +731,12 @@ func extractHostHeader(header string) (host string, port int) {
}

func (http *httpPlugin) hideHeaders(m *message) {
for _, header := range http.redactHeaders {
if _, exists := m.headers[header]; exists {
m.headers[header] = []byte("REDACTED")
}
}

if !m.isRequest || !http.redactAuthorization {
return
}
Expand Down
37 changes: 37 additions & 0 deletions packetbeat/protos/http/http_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -990,6 +990,43 @@ func TestHttpParser_RedactAuthorization_Proxy_raw(t *testing.T) {
}
}

func TestHttpParser_RedactHeaders(t *testing.T) {
logp.TestingSetup(logp.WithSelectors("http", "httpdetailed"))

http := httpModForTests(nil)
http.redactAuthorization = true
http.parserConfig.sendHeaders = true
http.parserConfig.sendAllHeaders = true
http.redactHeaders = []string{"header-to-redact", "should-not-exist"}

data := []byte("POST /services/ObjectControl?ID=client0 HTTP/1.1\r\n" +
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5472)\r\n" +
"Content-Type: text/xml; charset=utf-8\r\n" +
"SOAPAction: \"\"\r\n" +
"Header-To-Redact: sensitive-value\r\n" +
"Host: production.example.com\r\n" +
"Content-Length: 0\r\n" +
"Expect: 100-continue\r\n" +
"Accept-Encoding: gzip\r\n" +
"X-Forwarded-For: 10.216.89.132\r\n" +
"\r\n")

st := &stream{data: data, message: new(message)}

ok, _ := testParseStream(http, st, 0)

http.hideHeaders(st.message)

assert.True(t, ok)
var redactedString common.NetString = []byte("REDACTED")
var expectedAcceptEncoding common.NetString = []byte("gzip")
assert.Equal(t, redactedString, st.message.headers["header-to-redact"])
assert.Equal(t, expectedAcceptEncoding, st.message.headers["accept-encoding"])

_, invalidHeaderExists := st.message.headers["should-not-exist"]
assert.False(t, invalidHeaderExists)
}

func Test_splitCookiesHeader(t *testing.T) {
type io struct {
Input string
Expand Down