堆栈内存溢出
  简体   繁体   English

加密或清理Rails日志文件

[英]Encrypting or scrubbing Rails log files

 原文  2012-04-19 01:39:25       ruby-on-rails/ security/ logging

问题描述

We have a customer with very stringent security requirements. 我们的客户有非常严格的安全要求。 So we will encrypt the Rails database using one of Postgres's database encryption options. 因此,我们将使用Postgres的数据库加密选项之一加密Rails数据库。 But that still leaves customer's data exposed in what the Rails logger logs when forms are submitted to create data. 但是,当提交表单以创建数据时,这仍然会使客户的数据暴露在Rails记录器的日志中。

I guess one option is not to encrypt the log file, but to suppress all the parameter values that get logged for POST requests by Rails. 我想一个选项不是加密日志文件,而是抑制Rails为POST请求记录的所有参数值。 What is the best way of doing that? 这样做的最佳方式是什么?

Another option is to encrypt Rails log files as they are written to disk. 另一种选择是在将Rails日志文件写入磁盘时对其进行加密。 Is that a better way to go, and what's a good way to do it? 这是一个更好的方法,有什么好办法吗?

2 个解决方案

解决方案1
 9  2015-10-17 00:01:51

one thing that you can do is in you config/application.rb file you can add fields that you want to omit from the logs like this 您可以做的一件事就是在config / application.rb文件中,您可以添加要从日志中省略的字段,如下所示 

class Application < Rails::Application
  ...
  config.filter_parameters += [:password]
  config.filter_parameters += [:ssn]    
  ....
 end

I hope that this helps 我希望这个对你有用

解决方案2
 1  2015-10-22 22:35:42

If you want something better than the filter_parameters for all params, You can write a custom logger. 如果你想要比所有参数的filter_parameters更好的东西,你可以编写一个自定义记录器。 see: http://rubyjunky.com/cleaning-up-rails-4-production-logging.html and the gem someone extracted from it, https://github.com/gshaw/concise_logging 请参阅: http//rubyjunky.com/cleaning-up-rails-4-production-logging.html以及从中提取的宝石, https://github.com/gshaw/concise_logging

However, you're going to need to store the encryption key somewhere on the same machine as the logs, which potentially means it's un-encryptable too if someone has active access (but not if they just somehow get the logs later). 但是,您需要将加密密钥存储在与日志相同的计算机上,这可能意味着如果有人具有活动访问权限,它也是不可加密的(但如果他们稍后以某种方式获取日志则不会)。

Some questions to think about: 要考虑的一些问题:

  • Do you need the parameter logging at all? 你需要参数记录吗? (do you even check the logs? how do you track errors?) (你甚至检查日志?你如何跟踪错误?)
  • What sort of compliance are you trying to hit? 你试图达到什么样的合规性? PCI? PCI? HIPAA? HIPAA?
  • What is the attack vector you're trying to avoid? 您试图避免的攻击媒介是什么? ie log access via shared hosting, physical attack (remove hard drive), remote access (grab all files off machine), .. 即通过共享主机进行日志访问,物理攻击(删除硬盘),远程访问(从机器中获取所有文件),..

Your answers will define guidelines on how to attack this problem! 您的答案将定义如何解决此问题的指南!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Rails日志级别到文件 - Rails log levels to files 在Rails中加密和在Salesforce中解密 - Encrypting in Rails and decrypting in Salesforce Rails 4不加密cookie内容 - Rails 4 not encrypting cookie contents 在rails中加密会话信息 - encrypting session information in rails Rails - 在日志文件中查看生成的SQL查询 - Rails - See generated SQL queries in Log files Rails Capistrano部署最佳实践/日志文件 - Rails Capistrano Deploy Best Practices / Log Files 从rails日志文件中提取错误信息 - extracting error information from rails log files 有没有办法在浏览器中显示 Rails 的日志文件? - Is there any way to display Rails' log files in the browser? 在Rails应用程序中优雅地重新加密令牌 - Gracefully re-encrypting tokens in Rails app 如何禁用生产日志文件中的Rails RoutingError stacktrace打印输出? - How to disable Rails RoutingError stacktrace printout in Production log files?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM