This section provides a reference overview of the Privacy.cfg
file, which is used to configure privacy rules that are applied to the capture stream in the Tealeaf CX Passive Capture Application.
Privacy enables the removal or encryption of sensitive information in the capture stream. Privacy can be applied at the following points during the capture and processing of session data.
- UI Capture
- PCA
- Windows™ Pipeline
You can use the Windows-based privacy tester utility to develop and test your privacy rules. Tested rules can then be pasted back into this configuration file for application to the PCA.
Additional documentation is provided in the notes in the Privacy.cfg
configuration file. This file is in the /usr/local/ctccap/etc
directory. It can be edited with the vi editor.
Rules
- Property
- Description
Enabled
True
orFalse
value which specifies whether this rule is active.Tests
- One or more test names which correspond to the names of test sections. The specified tests are evaluated to determine whether the actions is run for the rule. If no test is specified (and no embedded test specified as described below), then the actions are run for every hit.
TestOp
- Logical operator to use when multiple tests are specified. Possible values are
AND
andOR
.- If
TestOp=AND
, then all tests must returnTrue
for the actions to be processed. - If
TestOp=OR
, then the actions are processed if any of the tests returnTrue
.
- If
Not
True
orFalse
value. IfTrue
, then the result of the test evaluation is inverted (logicalNOT
).StopProcessing
True
orFalse
value that is indicating whether to stop processing further rules if this rule evaluates toTrue
.Actions
- One or more action names which correspond to the names of action sections to process if this rule returns
True
. ReqField
- Name portion of a name-value pair. This can also be one of the following reserved names:
TL_URLEXT
TL_URLTAIL
TL_VIRTUALDIR
ReqOp
- Operation to perform - options are:
EQ
or=
NE
or != or<>
GT
or>
LT
or<
CONTAINS
PARTOF
PARTOFLIST
ReqVal
- Literal value or field name (set
ReqValIsField=True
for field name). WhenReqOp=PARTOFLIST
, this value must specify a list of values separated either by a semicolon or another delimiter (specified usingListDelimiter
). ReqValIsField
True
orFalse
indicating whetherReqVal
contains a fieldname.ListDelimiter
- The character that is used to separate list items in
ReqVal
when you useReqOp=PARTOFLIST
. The default is a semicolon,;
. CaseSensitive
True
orFalse
value indicating whether the searches for field names must be case-sensitive. Default isFalse
. Setting this toTrue
speeds up searches.
Tests
- Property
- Description
ReqField
- Name portion of a name-value pair. This can also be one of the following reserved names:
TL_URLEXT
TL_URLTAIL
TL_VIRTUALDIR
ReqOp
- Operation to perform - options are:
EQ
or=
NE
or != or<>
GT
or>
LT
or<
CONTAINS
PARTOF
PARTOFLIST
ReqVal
- Literal value or field name (set
ReqValIsField=True
for field name). IfReqOp=PARTOFLIST
, this value must specify a list of values that are separated either by a semicolon or another delimiter (specified by usingListDelimiter
). ReqValIsField
True
orFalse
indicating whetherReqVal
contains a field name.ListDelimiter
- The character that is used to separate list items in
ReqVal
whenReqOp=PARTOFLIST
. The default is a semicolon,;
. CaseSensitive
True
orFalse
value that is indicating whether the searches for field names must be case-sensitive. Default isFalse
. Setting this toTrue
speeds up searches.Not
True
orFalse
value. If set toTrue
, then the result of the test evaluation is inverted (logicalNOT
).
Actions
- Property
- Description
Action
- The action to take. Following are the values :
Block
- Blocks the matched data using the specified strike character.Encrypt
- Encrypts the matched data and masks it with the specified strike character.Replace
- Replaces the matched data with a specified text string.DropHit
- Drops the current hit (no further action is taken). Any rule may have a drop hit action.DropResponse
- Drops the response from the current hit.ReqSet
- Sets or replaces the value for the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if is doesn't exist.ReqAppend
- Appends to the value of the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if it doesn't exist.ReqDelete
- Removes the specified name/value pair completely from the request. This does not remove the section, even if empty.
Key
- key ID to use for encryption if
Action=Encrypt
. Group
- Group name (in the format domain\groupname) to use for encryption if
Action=Encrypt
.Note: Use eitherKey
orGroup
to specify the encryption key, not both. Section
- The section name of the data to act upon. If this is value that is set to
response
, then the response is processed. This can also be one of the following reserved names:urlfield
- Performs the action for the specified ValueName (or all if ValueName is omitted) for values in the urlfield section, QUERY_STRING, query string in RawRequest (if present) and the query string in HTTP_REFERER and the Referer request header and request body in RawRequest (if present).cookies
- Performs the action for the specified ValueName (or all if ValueName is omitted) for values in the[cookies]
section, HTTP_COOKIE and HTTP_SET_COOKIE name-value pairs, Set-Cookies headers in the ResponseHeader section (if present), Set-Cookie headers in the response, and the[cookies]
header in the RawRequest section (if present).Note: If a Section is not specified in an action, then the entire request buffer (REQ) is used.
IgnoreSpecial
True
orFalse
value that is indicating whether to ignore special handling whenurlfield
orcookies
is specified for the Section. Setting this toTrue
allowsStartPattern
orStartPatternRE
to be used in theurlfield
orcookies
sections. Default isFalse
.Field
- One or more optional field names (name portion of the name-value pair). If both Field and ValueName are omitted, then the entire section is blocked/encrypted. This can also be one of the following reserved names:
body
- IfSection=response
then, this value specifies the response body as the target. IfSection=RawRequest
, then the request body (if present) is processed.
ValueName
- One or more names of values (in multi-value name-value pairs, such as HTTP_COOKIE) or the names of items when
Section=urlfield
orSection=cookies
. Invert
True
orFalse
value that is indicating whether to invert the action (perform on all fields or ValueNames EXCEPT the ones specified).- If
ValueName
is specified, then all except the name(s) specified inValueName
are processed. - If
ValueName
is not specified, then the name(s) specified forField
is/are excepted from the action.Note: This can only be used withBlock
,Encrypt
, andReplace
actions.StartPattern
andStartPatternRE
cannot be used with an invert action.
- If
StartPattern
- The starting string pattern to search for within the specified data. The data immediately following the matching pattern is processed. If
StartPattern
is used, then you must also specify eitherEndPattern
or Length, unless you set Inclusive toTrue
. WhenInclusive=True
, theStartPattern
(and optionalEndPattern
) are blocked/encrypted as well. This is useful for blocking or encrypting a constant data string. StartPatternRE
- Regular expression version of StartPattern. This can be used to specify a standard regular expression to define the starting pattern to find. You can use either
StartPattern
orStartPatternRE
, but not both. EndPattern
- The string pattern which signals the end of the data that is matched by a StartPattern. The data up to, but not including, the
EndPattern
is processed (unlessInclusive=True
). EndPatternRE
- Regular expression version of
EndPattern
. This can be used to specify a standard regular expression to define the ending pattern to find. You can use eitherEndPattern
orEndPatternRE
, but not both. Length
- Used in lieu of an
EndPattern
orEndPatternRE
, this value specifies the length of the data (in bytes) to process following a matchedStartPattern
(orStartPatternRE
). Inclusive
True
orFalse
value that is indicating whether theStartPattern
(orStartPatternRE
) and (optional)EndPattern
(orEndPatternRE
) are blocked or encrypted. Default isFalse
.RepeatCount
- This can be used for actions that have a
StartPattern
orStartPatternRE
to specify how many instances of data that is matching the pattern is processed. ReplaceString
- The string that is used to replace the original data when
Action=Replace
. CaseSensitive
True
orFalse
value that is indicating whether the searches for field names and/or patterns must be case-sensitive. Default isFalse
. Setting this toTrue
speeds up searches.StrikeChar
- The character that is used to replace the original data that is blocked or encrypted. This can be any alphanumeric character or symbol not included in the following list:
- . (period)
- , (comma)
- / (forward slash)
- \ (backslash)
- [(left square bracket)
- ] (right square bracket)
- | (pipe)
- '(single quotation mark)
- " (double quotation mark)
StrikeLen
- Optional length (in bytes) of strike data. This is the number of StrikeChar characters that are used to replace the original data (if
Action=Block
orAction=Encrypt
).- If
StrikeLen
is longer than the original data length, then more strike characters are added. - If
StrikeLen
is shorter than the original data length, thenStrikeLen
characters are replaced with theStrikeChar
and the remaining data is removed. - If
StrikeLen
is a negative number, then the number of characters represented by the absolute value ofStrikeLen
is left as-is. For example, to leave the last four characters or a value untouched, setStrikeLen=-4
. - For more flexible options, see BlockingMask.
- If
BlockingMask
- An optional regular expression that specifies which characters in the found data are replaced with the strike character (does not apply to Replace action). All characters within a group (defined by parentheses) in the regular expression are replaced with the strike character. Characters that match part of the pattern outside of a group are not replaced.
For example, the following mask would block just the numbers in a Social Security Number, leaving the dashes visible:
BlockingMask=([0-9]{3})-([0-9]{2})-([0-9]{4})
This example would leave the first four digits of a credit card number visible:
BlockingMask=[0-9]{4}([0-9]*)
BlockingMask is used in lieu of StrikeLen. You can use one or the other, but not both.
Note: Be careful when you use BlockingMask. If the data does not match the regular expression that is specified for BlockingMask, then the data is not blocked or encrypted. ReqSetSection
- Specifies the section for the name-value pair for a
ReqSet
,ReqAppend
, orReqDelete
action.ReqSetSection
is required for these three actions. ReqSetField
- Specifies the name of a name-value pair for a
ReqSet
,ReqAppend
, orReqDelete
action.ReqSetField
is required for these three actions. ReqSetResult
- This option is used in conjunction with
StartPatternRE
to produce a formatted value for aReqSet
orReqAppend
action. TheStartPatternRE
expression should contain one or more "groups", defined by parentheses within the regular expression.ReqSetResult
is a string containing literal text and placeholders for the data captured byStartPatternRE
.Examples:
StartPatternRE=name="(.*?)" value="(.*?)" ReqSetResult=Field {g1} value: {g2}
Would result in a following value like:
Field name value: Bob
The first placeholder, {g1}, is replaced with the value from the first group in the regular expression. {g2} gets the second value, and so on. The result string is then used as the value for the
ReqSet
orReqAppend
action.
Action notes
- For
ReqSet
andReqAppend
the value to set or append can be specified in different ways. You can either use a literal string by setting ReplaceString to the required text, or you can pull data from the request or response by usingSection
,Field
,ValueName
,StartPattern
,StartPatternRE
,EndPattern
and/orEndPatternRE
. - When you useg
StartPattern
orStartPatternRE
with one of these actions the RepeatCount is always set to 1 (the first match is always used). IgnoreSpecial
is always True for these actions whenSection
is specified. There is no special handling for theurlfield
orcookies
sections with these actions.- The value for a field (name/value pair) can be cleared without removing the entire field by using
ReplaceString
with no value:ReplaceString=
- All carriage-returns and linefeeds in the value string are replaced with
\r
and\n
. - Privacy changes are queued and applied after all actions are complete. This means that actions normally see the original data.
ReqSet
,ReqAppend
andReqDelete
keep track of field additions, changes, and deletions, so multiple changes to a single field (such adding a field then concatenating addition data to the value) can be done safely. Since the Replace action can affect any arbitrary piece of data in the request or response, it is not included in this change tracking. Changes that are made to field values are best done by usingReqSet
andReqAppend
. - When you use use
Field
orValueName
withReqSet
orReqAppend
you must specify a single field or value name. If there are multiple names the value for the last item that found is used. - Similar to the note above, you must avoid specifying only a section to retrieve the value for a
ReqSet
orReqAppend
. Doing so results in the value from the last field (name/value pair) in the section that is used for theReqSet
orReqAppend
.