1SOS(CLEAN) SOS(CLEAN)
2
6 sos clean - Obfuscate sensitive data from one or more sosreports
7
9 sos clean TARGET [options]
10 [--domains]
11 [--keywords]
12 [--keyword-file]
13 [--map-file]
14 [--jobs]
15 [--no-update]
16 [--keep-binary-files]
17 [--archive-type]
18
21 sos clean or sos mask is an sos subcommand used to obfuscate sensitive
22 information from previously generated sosreports that is not covered by
23 the standard plugin-based post processing executed during report gener‐
24 ation, for example IP addresses.
25 Data obfuscated via this utility is done so consistently, meaning for
27 example an IP address of 192.168.1.1 in an unprocessed sosreport that
28 gets obfuscated to, for example, 100.0.0.1, will be changed to
29 100.0.0.1 in all occurrences found in the report.
30 Additionally, by default all such obfuscations are stored in "maps"
32 that will be persistently saved to /etc/sos/cleaner/default_mapping and
33 be re-used on subsequent runs.
34 This utility may also be used in-line with sos report and sos collect
36 by specifying the --clean or --mask option.
37 When called directly via sos clean, the obfuscated archive is written
39 as an additional file, meaning the original unprocessed report still
40 remains on the filesystem. When called via report or collect, the
41 changes are done in-line and thus only an obfuscated archive is written
42 and available. In either case, a mapping file containing the relation‐
43 ships between unprocessed and obfuscated elements will be written in
44 the same location as the resulting archive. This mapping file should be
45 kept private by system administrators.
46
49 TARGET
50 The path to the archive that is to be obfuscated. This may be an ar‐
52 chive or an unbuilt sos temporary
53 directory. If an archive, it will first be extracted and then
54 after obfuscation is complete re-compressed using the same com‐
55 pression method as the original.
56
59 --domains DOMAINS
60 Provide a comma-delimited list of domain names to obfuscate, in
61 addition to those matching the hostname of the system that cre‐
62 ated the sosreport. Subdomains that match a domain given via
63 this option will also be obfuscated.
64 For example, if --domains redhat.com is specified, then 'red‐
66 hat.com' will be obfuscated, as will 'www.redhat.com' and subdo‐
67 mains such as 'foo.redhat.com'.
68 --keywords KEYWORDS
70 Provide a comma-delimited list of keywords to scrub in addition
71 to the default parsers.
72 Keywords provided by this option will be obfuscated as "obfus‐
74 catedwordX" where X is an integer based on the keyword's index
75 in the parser. Note that keywords will be replaced as both
76 standalone words and in substring matches.
77 --keyword-file FILE
79 Provide a file that contains a list of keywords that should be
80 obfuscated. Each word must be specified on a newline within the
81 file.
82 --map-file FILE
84 Provide a location to a valid mapping file to use as a reference
85 for existing obfuscation pairs. If one is found, the contents
86 are loaded before parsing is started. This allows consistency
87 between runs of this command for obfuscated pairs. By default,
88 sos will write the generated private map file to
89 /etc/sos/cleaner/default_mapping so that consistency is main‐
90 tained by default. Users may use this option to reference a map
91 file from a different run (perhaps one that was done on another
92 system).
93 Default: /etc/sos/cleaner/default_mapping
95 --jobs JOBS
97 The number of concurrent archives to process, if more than one.
98 If this utility is called by sos collect then the value of the
99 jobs option for that utility will be used here.
100 Default: 4
102 --no-update
104 Do not write the mapping file contents to /etc/sos/cleaner/de‐
105 fault_mapping
106 --keep-binary-files
108 Keep unprocessable binary files in the archive, rather than re‐
109 moving them.
110 Note that binary files cannot be obfuscated, and thus keeping
112 them in the archive may result in otherwise sensitive informa‐
113 tion being included in the final archive. Users should review
114 any archive that keeps binary files in place before sending to a
115 third party.
116 Default: False (remove encountered binary files)
118 --archive-type TYPE
120 Specify the type of archive that TARGET was generated as. When
121 sos inspects a TARGET archive, it tries to identify what type of
122 archive it is. For example, it may be a report generated by sos
123 report, or a collection of those reports generated by sos col‐
124 lect, which require separate approaches.
125 This option may be useful if a given TARGET archive is known to
127 be of a specific type, but due to unknown reasons or some mal‐
128 formed/missing information in the archive directly, that is not
129 properly identified by sos.
130 The following are accepted values for this option:
132 auto Automatically detect the archive type
134 report An archive generated by sos report
135 collect An archive generated by sos collect
136 insights An archive generated by the insights-client
137 package
138 The following may also be used, however note that these do not
140 attempt to pre-load any information from the archives into the
141 parsers. This means that, among other limitations, items like
142 host and domain names may not be obfuscated unless an obfuscated
143 mapping already exists on the system from a previous execution.
144 data-dir A plain directory on the filesystem.
146 tarball A generic tar archive not associated with any
147 known tool
148
151 sos(1) sos-report(1) sos-collect(1) sos.conf(5)
152
155 Jake Hunsaker <jhunsake@redhat.com>
156
158 See AUTHORS file in the package documentation.
159Thu May 21 2020 1 SOS(CLEAN)