Hiding Sensitive Data

Starting with Release 8.1.400.30, Orchestration Server can selectively hide sensitive data in logs when the printing of such sensitive data is not explicitly requested by an SCXML strategy. Because Orchestration Server prints Event as a whole, sensitive data may appear in ORS logs in the following scenarios.

The configuration information below applies to hiding sensitive data in ORSURS and WebFM requests.

Hiding Sensitive Data

To hide ORS log data that may be considered as completely or partially sensitive in ORSURS requests and Web requests (request/response URL, headers and body), ORS implements the usage of regular expressions. A regular expression is a pattern describing a certain amount of text. The name "regular expression" is frequently abbreviated to "regex" as described in the option below.

Before printing sensitive data in logs, ORS verifies that string data against all regular expressions defined in the ors-regex-<name> option. The portion of a string that satisfies a regular expression will be replaced with “****” symbols or tagged. When filtering and/or tagging data in logs, only the hide and tag capabilities are supported as described under <filter-type> below.

A new option supports the hiding of sensitive data in ORSURS request and Web request logging.

ors-regex-<name>[;<filter-type>]

• For <name>, specify a descriptive name describing the rule with the intent of having different option names. Note that ors-regex is case-sensitive.
• For <filter-type>, specify the way of hiding information in the log, when regex ( regular expression) finds a match. See <filter-type> in the table below.

Object: ORS Application object

Option section: log-filter-data

Default value: No default value

Valid values: Any valid Perl-compatible regular expression (regex).

Value changes: Take effect immediately.

Use this option to define regular expressions for hiding/tagging part of a URL, the header or body of a Web request, or the content of an ORSURS request.

<filter-type>

ORS 8.1.400.31 introduced option, filter-eval-expr, which works with METRIC:eval_expr and Debug Logging Segmentation (see option log-trace-segments).

filter-eval-expr

Option section: orchestration
Configuration object: ORS Application object
Default value: false
Valid values: true or false
Value changes: Immediately upon notification

This option enables hiding of sensitive data in expression and result fields of the eval_expr log metric. If set to true, ORS verifies that string data against the regular expression defined in the ors-regex-<name> option.

Samples

The samples below show complex regular expressions that can be used to hide substrings recognized as Social Security numbers, phone numbers, and credit card numbers.

Note: Line breaks in log message added for readability.

[+] Regular expressions

[log-filter-data]
ors-regex-SSN=(?>^|(?<=[\s[:alpha:](),.:;?!"'`]))(?!000|666|9)\d{3}[- ]?(?!00)\d{2}[- ]?(?!0000)\d{4}(?>$|(?=[\s[:alpha:]
(),.:;?!"'`]))

ors-regex-PhoneNANPA=(?>^|(?<=[\s[:alpha:](),.:;?!"'`]))(?:\+?1[-. ]?)?(?:\(?[2-9][0-9]{2}\)?[-. ]?)?[2-9][0-9]{2}[-. ]?[0-9]{4}(?>$|
(?[\s[:alpha:](),.:;?!"'`]))

ors-regex-CreditCards=(?>^|(?<=[\s[:alpha:](),.:;?!"'`]))(?>4\d{3}|5[1-5]\d{2}|6011|622[1-9]|64[4-9]\d|65\d{2})[ -]?\d{4}[ -]?\d{4}
[ -]?\d{4}(?>$|(?=[\s[:alpha:
](),.:;?!"'`]))

<toggledisplay linkstyle font-size:larger showtext="[+] Hiding of Certain Properties in a JSON-Encoded Object" hidetext="[-] Hiding of Certain Properties in a JSON-Encoded Object">

Initial Log Message:

05:35:30.049 {ORSURS:3} CreateVirtualCall: <<
refID	1 
tenant	'Automation' 
call	'da377034140aacad' 
context	'{"MediaType":"email","UserData":{"ReceivedAt":"2015-07-30T12:35:28Z","InteractionId":"da377034140aacad","MediaType":"email",
"PlacedInQueueAt":"2015-07-30T12:35:28Z","InteractionType":"Inbound","InteractionSubType":"InboundNew","Queue":
"Qaart_EmailInboundQueueAutomation","SubmittedBy":"QAART_Media_Server_email_Automation","SubmittedAt":"2015-07-30T12:35:28Z","
MovedToQueueAt":"2015-07-30T12:35:28Z","TenantId":101,"InteractionState":0,
"IsOnline":0,"IsLocked":0,"next_kvlist":{"str":"some str","int":3},"test_name":"eServiceTerminate"}}' 
 <<06:25:11.525 {FMWeb:3} Send pending HTTP response: Session ID = 9F7V6Q4L8P0OP7FUD0I8FDM4F4000001, Send ID = 2, 
Result Code = Schedule_01_session_start_done, Content = {"PhoneNumber":"+79211122333"}

Configuration:

[log-filter-data]
ors-regex-hide-testname=(?<="test_name":").*?(?=")
ors-regex-hide-mediatype;tag=(?<="MediaType":").*?(?=")
ors-regex-hide-part-of-phone-number=(?<="PhoneNumber":"\+7921).*?(?=")

Log Message After Hiding:

05:35:30.049 {ORSURS:3} CreateVirtualCall: <<
refID	1 
tenant	'Automation' 
call	'da377034140aacad' 
context	'{"MediaType":"email","UserData":{"ReceivedAt":"2015-07-30T12:35:28Z","InteractionId":"da377034140aacad","MediaType":
"<#email#>","PlacedInQueueAt":"2015-07-30T12:35:28Z","InteractionType":"Inbound","InteractionSubType":"InboundNew","Queue":"
Qaart_EmailInboundQueueAutomation","SubmittedBy":"QAART_Media_Server_email_Automation","SubmittedAt":"2015-07-30T12:35:28Z",
"MovedToQueueAt":"2015-07-30T12:35:28Z","TenantId":101,"InteractionState":0,"IsOnline":0,
"IsLocked":0,"next_kvlist":{"str":"some str","int":3},"test_name":"****"}}' 
 <<
06:25:11.525 {FMWeb:3} Send pending HTTP response: Session ID = 9F7V6Q4L8P0OP7FUD0I8FDM4F4000001, 
Send ID = 2, Result Code = Schedule_01_session_start_done, Content = {“PhoneNumber”:”+7921****”}