Automatically mask passwords

[sorantis]

Provide an automatic way to identify and mask sensitive information such as a password when used with the SQL based database integrations, such as Oracle module.

[elasticmachine]

Pinging @elastic/integrations-services (Team:Services)

[mtojek]

There is password field which masks the phrase with **** in Kibana. Do you think about something more sophisticated? If so, then it might affect Kibana too /cc @ruflin .

[sorantis]

Oracle events contain sensitive information that customers consider as a risk

    "service": {
        "address": "oracle://sys:passwordlocalhost/ORCLPDB1.localdomain",
        "type": "oracle"
    }

[mtojek]

Elastic Agent uses Metricbeat and Filebeat to generate such data, so it's not the Integrations issue, but rather Metricbeat/Filebeat.

Field definitions stored in Integrations are used mostly to generate Kibana UI and config files. I suppose this should be fixed on the events collector level to strip it and do not leak passwords anywhere.

[andrewkroh]

In Metricbeat it looks like event.host is copied into service.address. And event.host is not using the sanitized URI. This would probably fix Metricbeat, but needs tested. Could @elastic/integrations-platforms please look into the issue.

diff --git a/metricbeat/mb/module/wrapper.go b/metricbeat/mb/module/wrapper.go
index 2ea0d2b60..f0d1552c8 100644
--- a/metricbeat/mb/module/wrapper.go
+++ b/metricbeat/mb/module/wrapper.go
@@ -392,7 +392,7 @@ func (r reporterV2) Event(event mb.Event) bool {
        }
 
        if event.Host == "" {
-               event.Host = r.msw.Host()
+               event.Host = r.msw.HostData().SanitizedURI
        }
 
        if event.Error == nil {