aboutsummaryrefslogtreecommitdiffstats
path: root/man/en/sos-clean.1
blob: fe3a1d8d760d24863545a9dfa1cfc576d3b643b3 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
.TH SOS CLEAN 1 "Thu May 21 2020"
.SH NAME
sos clean - Obfuscate sensitive data from one or more sosreports
.SH SYNOPSIS
.B sos clean TARGET [options]
    [\-\-domains]
    [\-\-disable-parsers]
    [\-\-skip-cleaning-files|\-\-skip-masking-files]
    [\-\-keywords]
    [\-\-keyword-file]
    [\-\-map-file]
    [\-\-jobs]
    [\-\-no-update]
    [\-\-keep-binary-files]
    [\-\-archive-type]

.SH DESCRIPTION
\fBsos clean\fR or \fBsos mask\fR is an sos subcommand used to obfuscate sensitive information from
previously generated sosreports that is not covered by the standard plugin-based post
processing executed during report generation, for example IP addresses.
.LP
Data obfuscated via this utility is done so consistently, meaning for example an IP address of
192.168.1.1 in an unprocessed sosreport that gets obfuscated to, for example, 100.0.0.1, will be
changed to 100.0.0.1 in all occurrences found in the report.

Additionally, by default all such obfuscations are stored in "maps" that will be persistently
saved to /etc/sos/cleaner/default_mapping and be re-used on subsequent runs.
.LP
This utility may also be used in-line with \fBsos report\fR and \fB sos collect\fR by specifying the
\fB\-\-clean\fR or \fB\-\-mask\fR option.
.LP
When called directly via \fBsos clean\fR, the obfuscated archive is written as an additional file,
meaning the original unprocessed report still remains on the filesystem. When called via \fBreport\fR or
\fBcollect\fR, the changes are done in-line and thus only an obfuscated archive is written and available.
In either case, a mapping file containing the relationships between unprocessed and obfuscated elements will
be written in the same location as the resulting archive. This mapping file should be kept private
by system administrators.

.SH REQUIRED ARGUMENTS
.B TARGET
.TP
The path to the archive that is to be obfuscated. This may be an archive or an unbuilt sos temporary
directory. If an archive, it will first be extracted and then after obfuscation is complete re-compressed
using the same compression method as the original.

.SH OPTIONS
.TP
.B \-\-domains DOMAINS
Provide a comma-delimited list of domain names to obfuscate, in addition to those
matching the hostname of the system that created the sosreport. Subdomains that
match a domain given via this option will also be obfuscated.

For example, if \fB\-\-domains redhat.com\fR is specified, then 'redhat.com' will
be obfuscated, as will 'www.redhat.com' and subdomains such as 'foo.redhat.com'.
.TP
.B \-\-disable-parsers PARSERS
Provide a comma-delimited list of parsers to disable when cleaning an archive. By
default all parsers are enabled.

Note that using this option is very likely to leave sensitive information in place in
the target archive, so only use this option when absolutely necessary or you have complete
trust in the party/parties that may handle the generated report.

Valid values for this option are currently: \fBhostname\fR, \fBip\fR, \fBipv6\fR,
\fBmac\fR, \fBkeyword\fR, and \fBusername\fR.
.TP
.B \-\-skip-cleaning-files, \-\-skip-masking-files FILES
Provide a comma-delimited list of files inside an archive, that cleaner should skip in cleaning.

Globs like asterisk are supported, so \fBsos_commands/host/hostname*\fR will match all three
usual filenames in that directory (\fBhostname\fR, \fBhostnamectl_status\fR and \fBhostname_-f\fR).

Use this option with caution, only when being certain the given files do not contain any sensitive
information.
.TP
.B \-\-keywords KEYWORDS
Provide a comma-delimited list of keywords to scrub in addition to the default parsers.

Keywords provided by this option will be obfuscated as "obfuscatedwordX" where X is an
integer based on the keyword's index in the parser. Note that keywords will be replaced as
both standalone words and in substring matches.
.TP
.B \-\-keyword-file FILE
Provide a file that contains a list of keywords that should be obfuscated. Each word must
be specified on a newline within the file.
.TP
.B \-\-map-file FILE
Provide a location to a valid mapping file to use as a reference for existing obfuscation pairs.
If one is found, the contents are loaded before parsing is started. This allows consistency between
runs of this command for obfuscated pairs. By default, sos will write the generated private map file
to /etc/sos/cleaner/default_mapping so that consistency is maintained by default. Users may use this
option to reference a map file from a different run (perhaps one that was done on another system).

Default: /etc/sos/cleaner/default_mapping
.TP
.B \-\-jobs JOBS
The number of concurrent archives to process, if more than one. If this utility is called by
\fBsos collect\fR then the value of the jobs option for that utility will be used here.

Default: 4
.TP
.B \-\-no-update
Do not write the mapping file contents to /etc/sos/cleaner/default_mapping
.TP
.B \-\-keep-binary-files
Keep unprocessable binary files in the archive, rather than removing them.

Note that binary files cannot be obfuscated, and thus keeping them in the archive
may result in otherwise sensitive information being included in the final archive.
Users should review any archive that keeps binary files in place before sending to
a third party.

Default: False (remove encountered binary files)
.TP
.B \-\-archive-type TYPE
Specify the type of archive that TARGET was generated as.
When sos inspects a TARGET archive, it tries to identify what type of archive it is.
For example, it may be a report generated by \fBsos report\fR, or a collection of those
reports generated by \fBsos collect\fR, which require separate approaches.

This option may be useful if a given TARGET archive is known to be of a specific type,
but due to unknown reasons or some malformed/missing information in the archive directly,
that is not properly identified by sos.

The following are accepted values for this option:

    \fBauto\fR          Automatically detect the archive type
    \fBreport\fR        An archive generated by \fBsos report\fR
    \fBcollect\fR       An archive generated by \fBsos collect\fR
    \fBinsights\fR      An archive generated by the \fBinsights-client\fR package

The following may also be used, however note that these do not attempt to pre-load
any information from the archives into the parsers. This means that, among other limitations,
items like host and domain names may not be obfuscated unless an obfuscated mapping already exists
on the system from a previous execution.

    \fBdata-dir\fR      A plain directory on the filesystem.
    \fBtarball\fR       A generic tar archive not associated with any known tool

.SH SEE ALSO
.BR sos (1)
.BR sos-report (1)
.BR sos-collect (1)
.BR sos.conf (5)

.SH MAINTAINER
.nf
Maintained on GitHub at https://github.com/sosreport/sos
.fi
.SH AUTHORS & CONTRIBUTORS
See \fBAUTHORS\fR file in the package documentation.