Clean Passwords from Logs
Today was a day of fixing things. We had some issues with a bad behaving Storm topology so I wrote up some scripts to automate collecting the heap dump, generating a report, tailing relevant logs, and then shipping the whole thing off to a file server. Worked great until I realized the developers were keeping sensitive information in the topology config which is spewed into the log on every restart!
Enter sed. I needed to purge out any connection strings for our databases which I accomplished with the following commands:
sed -r 's/(vertica|secondarydb)\.([^"]+)" "?[^,]+/\1.\2" "*****"/g'
What it does:
- Use extended regex (Breaks portability in favor of using GNU extensions)
- Perform a substitute operation
- Find the word vertica or secondarydb followed by a literal dot, a space, and then a double quoted string
- Replace whatever you found with vertica or secondarydb, a literal dot, whatever came after the previous word, and a masked representation of the sensitive info
About the author
Brooks Garrett is a dedicated technologist who specializes in information security. Brooks has spent over 10 years implementing security programs for both the public and private sector including some of the biggest names in the Fortune 500. When he's not managing risk in the corporate environment you can find him at the local firestation where he is a volunteer firefighter.