Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter unexpected log messages containing PII #19329

Closed
2 tasks
Tracked by #19300
timcosgrove opened this issue Sep 25, 2024 · 1 comment · Fixed by #19388
Closed
2 tasks
Tracked by #19300

Filter unexpected log messages containing PII #19329

timcosgrove opened this issue Sep 25, 2024 · 1 comment · Fixed by #19388
Assignees
@edmund-dunn
Labels
CMS Team CMS Product team that manages both editor exp and devops Needs refining Issue status

Comments

@timcosgrove
Copy link
Contributor

timcosgrove commented Sep 25, 2024
edited
Loading

User Story or Problem Statement

We should filter out messages containing PII before they are sent to Datadog, so they we can prevent unexpected PII from being leaked.

Description or Additional Context

Though we've blocked the CMS from inserting PII via known patterns, it is extremely difficult to identify and modify every place where PII might be written to log. Additionally, we cannot prevent editors from inserting PII as content.

The work here is to set up filters for the Datadog agent on the CMS servers that find PII patterns in logs and intercept them before they are sent to Datadog.

Steps for Implementation

Common patterns to scrub: https://docs.datadoghq.com/logs/guide/commonly-used-log-processing-rules/

Log filter implementation: https://docs.datadoghq.com/agent/logs/advanced_log_collection/?tab=configurationfile&site=gov#filter-logs

Note that what Datadog describes as 'log scrubbing' - replacing PII with a masked version - is not available in our Datadog instance. We must use 'filtering' i.e. excluding log messages that contain patterns.

If we are not able to determine what PII patterns OCTO is most concerned about, implement emails and we will iterate.

Acceptance Criteria

  • Log messages generated by the CMS that contain PII patterns are visible in the CMS's logs
  • These same log messages are not visible in Datadog.
@timcosgrove timcosgrove added the Needs refining Issue status label Sep 25, 2024
Open
29 tasks
@gracekretschmer-metrostar gracekretschmer-metrostar added the CMS Team CMS Product team that manages both editor exp and devops label Sep 25, 2024
@gracekretschmer-metrostar
Copy link

Opportunity for platform demo?

@edmund-dunn edmund-dunn mentioned this issue Oct 2, 2024
Merged
20 tasks
@edmund-dunn edmund-dunn linked a pull request Oct 2, 2024 that will close this issue
VAMCS-19329: filter unexpected log messages containing pii #19388
Merged
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@edmund-dunn edmund-dunn

Labels
CMS Team CMS Product team that manages both editor exp and devops Needs refining Issue status
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

VAMCS-19329: filter unexpected log messages containing pii department-of-veterans-affairs/va.gov-cms
3 participants
@timcosgrove @edmund-dunn @gracekretschmer-metrostar