Merge "Add functionality to sanitize collected logs"

2019-12-20 03:24:50 +00:00 · 2019-12-20 03:24:50 +00:00 · 67f931ad16
parent 1b8ed193fd 061f90faa7
commit 67f931ad16
3 changed files with 52 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -200,6 +200,36 @@ of sosreport(s) with this role, create a custom config (you can use
 centosci-logs.yml as a template) and ensure that
 ``artcl_collect_sosreport: true`` is set.

+
+Sanitizing Log Strings
+----------------------
+
+Logs can contain senstive data such as private links and access
+passwords. The 'collect' task provides an option to replace
+private strings with sanitized strings to protect private data.
+
+The 'sanitize_log_strings' task makes use of the Ansible 'replace'
+module and is enabled by defining a ``sanitize_lines``
+variable as shown in the example below:
+
+.. code:: yaml
+
+   ---
+   sanitize_lines:
+     - dir_path: '/tmp/{{ inventory_hostname }}/etc/repos/'
+       file_pattern: '*'
+       orig_string: '^(.*)download(.*)$'
+       sanitized_string: 'SANITIZED_STR_download'
+     - dir_path: '/tmp/{{ inventory_hostname }}/home/zuul/'
+       file_pattern: '*'
+       orig_string: '^(.*)my_private_host\.com(.*)$'
+       sanitized_string: 'SANITIZED_STR_host'
+
+
+The task searches for files containing the sensitive strings
+(orig_string) within a file path, and then replaces the sensitive
+strings in those files with the sanitized_string.
+
 License
 -------

--- a/tasks/collect.yml
+++ b/tasks/collect.yml
@ -69,6 +69,14 @@
    chown -R {{ ansible_user }}: /tmp/{{ inventory_hostname }};
  changed_when: true

+# See README section 'Sanitizing Log Strings'
+- name: Sanitize logs to remove sensitive details
+  include_tasks: sanitize_log_strings.yaml
+  loop: "{{ sanitize_lines }}"
+  loop_control:
+    loop_var: outer_item
+  when: sanitize_lines is defined and sanitize_lines|length
+
 - name: Compress logs to tar.gz
  shell: >
    chdir=/tmp
--- a/tasks/sanitize_log_strings.yaml
+++ b/tasks/sanitize_log_strings.yaml
@ -0,0 +1,14 @@
+---
+# See README section 'Sanitizing Log Strings'
+- name: Sanitize logs to remove senstive details
+  find:
+    paths: "{{ outer_item.dir_path }}"
+    patterns: "{{ outer_item.file_pattern }}"
+  register: files_with_pattern
+
+- name: Replace orig_string with sanitized_string in the files
+  replace:
+    path: "{{ item.path }}"
+    regexp: "{{ outer_item.orig_string }}"
+    replace: "{{ outer_item.sanitized_string }}"
+  with_items: "{{ files_with_pattern.files }}"