Forum Discussion
mframpton_60606
Nimbostratus
NimbostratusEncrypted database?
Does anyone know if the backend database that stores the learned information is encrypted? We have sensitive information going through our ASM that needs to either be x'ed out or encrypted to keep with our PCI compliance. We noticed that this information was being logged as clear text. I found the option to x out via parameter name, however I cannot seem to find anything that tells me if the backend database is encrypted or also clear text.
TIA!
5 Replies
- Hi,
Further to Aaron's post - for PCI compliance purposes I would suggest that you configure the ASM's "Sensitive Parameters" settings (Application Security -> Policy, Advanced Tab -> Sensitive Parameters).
By assigning parameters as sensitive, their values will replaced with *'s in the log files (local and/or remote) and in the MySQL database. My understanding of the PCI auditing process is that this would remove the requirement to encryt the logs or the database columns as they no longer contain cardholder details but Aaron could probably give you a better steer on that than I.
Rgds
Bill - Bill is correct, if you define the parameter that carries the encrypted information as "sensitive", ASM will not log its data anywhere, not in the log file and not in the internal learning database. This will solve your compliance issue.
Cheers,
Ido 
mframpton_60606Thanks for the responses!
The problem that lies with the sensitive parameters option is that it requires that you know the parameter that uses that information. That's all and good if your company has a firm grip on how those parameters are defined. Unfortunately our company at this time doesn't not dictate what parameters names the application programmers can use, thus making it impossible for us (the network folks) to ever be 100% sure all values are getting caught. I was hoping there might be a more global way to filter, but I haven't found it yet. We may have to export the database and scan it somehow.
hoolioCirrostratus
I think it would be prohibitively expensive in terms of performance to do some kind of wildcard or regex match against all parameter values to mask potentially sensitive data in logs/database. But maybe it would still be a worthwhile enhancement request to make to F5.
You can run asmqvkiew from the command to dump the MySQL database to a text file (gzip compressed tar archive).
tar xvfz /var/tmp/asm_snapshot.example.com.tar.gz *asm_mysql.dump
You could search for credit card numbers or other sensitive data using regexes (Click here)
Aaron- I'm pretty sure there is an existing enhancement request open to add the ability to define sensitive parameters by wildcards (thus defining a single "*" would give you the functionality you're looking for), so I'd definitely suggest firing up a support case to at least have your voice added to that request.
Aaron
