1SOS(CLEAN) SOS(CLEAN)
2
3
4
6 sos clean - Obfuscate sensitive data from one or more sosreports
7
9 sos clean TARGET [options]
10 [--domains]
11 [--disable-parsers]
12 [--keywords]
13 [--keyword-file]
14 [--map-file]
15 [--jobs]
16 [--no-update]
17 [--keep-binary-files]
18 [--archive-type]
19
20
22 sos clean or sos mask is an sos subcommand used to obfuscate sensitive
23 information from previously generated sosreports that is not covered by
24 the standard plugin-based post processing executed during report gener‐
25 ation, for example IP addresses.
26
27 Data obfuscated via this utility is done so consistently, meaning for
28 example an IP address of 192.168.1.1 in an unprocessed sosreport that
29 gets obfuscated to, for example, 100.0.0.1, will be changed to
30 100.0.0.1 in all occurrences found in the report.
31
32 Additionally, by default all such obfuscations are stored in "maps"
33 that will be persistently saved to /etc/sos/cleaner/default_mapping and
34 be re-used on subsequent runs.
35
36 This utility may also be used in-line with sos report and sos collect
37 by specifying the --clean or --mask option.
38
39 When called directly via sos clean, the obfuscated archive is written
40 as an additional file, meaning the original unprocessed report still
41 remains on the filesystem. When called via report or collect, the
42 changes are done in-line and thus only an obfuscated archive is written
43 and available. In either case, a mapping file containing the relation‐
44 ships between unprocessed and obfuscated elements will be written in
45 the same location as the resulting archive. This mapping file should be
46 kept private by system administrators.
47
48
50 TARGET
51
52 The path to the archive that is to be obfuscated. This may be an ar‐
53 chive or an unbuilt sos temporary
54 directory. If an archive, it will first be extracted and then
55 after obfuscation is complete re-compressed using the same com‐
56 pression method as the original.
57
58
60 --domains DOMAINS
61 Provide a comma-delimited list of domain names to obfuscate, in
62 addition to those matching the hostname of the system that cre‐
63 ated the sosreport. Subdomains that match a domain given via
64 this option will also be obfuscated.
65
66 For example, if --domains redhat.com is specified, then 'red‐
67 hat.com' will be obfuscated, as will 'www.redhat.com' and subdo‐
68 mains such as 'foo.redhat.com'.
69
70 --disable-parsers PARSERS
71 Provide a comma-delimited list of parsers to disable when clean‐
72 ing an archive. By default all parsers are enabled.
73
74 Note that using this option is very likely to leave sensitive
75 information in place in the target archive, so only use this op‐
76 tion when absolutely necessary or you have complete trust in the
77 party/parties that may handle the generated report.
78
79 Valid values for this option are currently: hostname, ip, ipv6,
80 mac, keyword, and username.
81
82 --keywords KEYWORDS
83 Provide a comma-delimited list of keywords to scrub in addition
84 to the default parsers.
85
86 Keywords provided by this option will be obfuscated as "obfus‐
87 catedwordX" where X is an integer based on the keyword's index
88 in the parser. Note that keywords will be replaced as both
89 standalone words and in substring matches.
90
91 --keyword-file FILE
92 Provide a file that contains a list of keywords that should be
93 obfuscated. Each word must be specified on a newline within the
94 file.
95
96 --map-file FILE
97 Provide a location to a valid mapping file to use as a reference
98 for existing obfuscation pairs. If one is found, the contents
99 are loaded before parsing is started. This allows consistency
100 between runs of this command for obfuscated pairs. By default,
101 sos will write the generated private map file to
102 /etc/sos/cleaner/default_mapping so that consistency is main‐
103 tained by default. Users may use this option to reference a map
104 file from a different run (perhaps one that was done on another
105 system).
106
107 Default: /etc/sos/cleaner/default_mapping
108
109 --jobs JOBS
110 The number of concurrent archives to process, if more than one.
111 If this utility is called by sos collect then the value of the
112 jobs option for that utility will be used here.
113
114 Default: 4
115
116 --no-update
117 Do not write the mapping file contents to /etc/sos/cleaner/de‐
118 fault_mapping
119
120 --keep-binary-files
121 Keep unprocessable binary files in the archive, rather than re‐
122 moving them.
123
124 Note that binary files cannot be obfuscated, and thus keeping
125 them in the archive may result in otherwise sensitive informa‐
126 tion being included in the final archive. Users should review
127 any archive that keeps binary files in place before sending to a
128 third party.
129
130 Default: False (remove encountered binary files)
131
132 --archive-type TYPE
133 Specify the type of archive that TARGET was generated as. When
134 sos inspects a TARGET archive, it tries to identify what type of
135 archive it is. For example, it may be a report generated by sos
136 report, or a collection of those reports generated by sos col‐
137 lect, which require separate approaches.
138
139 This option may be useful if a given TARGET archive is known to
140 be of a specific type, but due to unknown reasons or some mal‐
141 formed/missing information in the archive directly, that is not
142 properly identified by sos.
143
144 The following are accepted values for this option:
145
146 auto Automatically detect the archive type
147 report An archive generated by sos report
148 collect An archive generated by sos collect
149 insights An archive generated by the insights-client
150 package
151
152 The following may also be used, however note that these do not
153 attempt to pre-load any information from the archives into the
154 parsers. This means that, among other limitations, items like
155 host and domain names may not be obfuscated unless an obfuscated
156 mapping already exists on the system from a previous execution.
157
158 data-dir A plain directory on the filesystem.
159 tarball A generic tar archive not associated with any
160 known tool
161
162
164 sos(1) sos-report(1) sos-collect(1) sos.conf(5)
165
166
168 Jake Hunsaker <jhunsake@redhat.com>
169
171 See AUTHORS file in the package documentation.
172
173
174
175Thu May 21 2020 1 SOS(CLEAN)