04. sos Report is Secure Written on . Posted in sos command.
The safeguarding of private sensitive system data is paramount. The sos command includes features to help ensure that sensitive information is obfuscated before data is shared. For example, hostnames, IP addresses, and UUIDs can be anonymized, providing peace of mind when reports need to be sent to third-party vendors or remote teams. This ensures that while the report provides a detailed view of the system, it does not expose critical information.
Additionally, encryption can be applied to reports by using GPG or OpenSSL, which adds an extra layer of security when transmitting diagnostic data across insecure channels making the sos report a trusted ally in the quest for system issues and root cause.
The obfuscation can be activated with the --clean flag, and encryption is summoned with the --encrypt, --encryp-pass or --encrypt-key flags.
Sensitive data obfuscation
The sos tool includes a feature designed to mask sensitive information (--clean option), such as usernames, hostnames, IP or MAC addresses, or other specified terms. The original sos report or sos collect remains untouched, while a separate obfuscated archive in the format -obfuscated.tar.xz is created.
Also an obfuscation mapping file under /tmp or /var/tmp directory will be created. It can be identified by the -private_map extension in its name and it contains a description of the terms masked.
It is also possible to add the --keywords option to additionally clean a given list of keywords.
Also, the --usernames can be added to obfuscate further sensitive user names. The sos command supports automatic user name cleaning. This will automatically run for users reported through the lastlog file for users with an UID of 1000 and above. This option is used for LDAP users that may not appear as an actual login, but may occur in certain log files.
Securing with GPG passphrase encryption
The sos report command output can be secured with symmetric GPG2 encryption based on a passphrase. You might want to secure the contents of an sos report with a password if, for example, you need to transfer it over a public network. There are three mutually exclusive options that can be used for this purpose:
- --encrypt: This option will prompt you for a password to encrypt the data
- --encrypt-pass: This option allows you to provide the password to encrypt the data directly in the command line (used with the --batch option)
- --encrypt-key: This option allows you to provide the name of the key (an existing key pair in root's user GPG keyring). This name identifies the actual key to be used for data encryption.
In any case, the command will output a file with the secured-sosreport-* prefix and the gpg file extension indicating that the file is encrypted.
Please note that when decrypting the file for further analysis, if the --encrypt or --encryp-pass option was used, the password needs to be provided. However in the case of --encrypt-key the passphrase used when the GPG key was created is the one that needs to be provided to the decryption function.
Generating a GPG2 (GnuPG 2) key pair is out of the scope of this document, however there is plenty of information about it in the web (just search for "Generating a GPG key pair").