Policy
LeakSignal Policies (LS policies or policies) are YAML configuration files that drive how LeakSignal scans for sensitive data.
There are two primary sections of LS policies, categories of matchers and endpoints.
This is an example of what an extremely complex policy might look like:
categories:
ssn:
- regex: "\\b\\d{3}[ .-]\\d{2}[ .-]\\d{4}\\b"
credit_card:
- regex: "(?:4[0-9]{12}(?:[0-9]{3})?|[25][1-7][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})"
- except: 0000-0000-0000-0000
email:
- regex: "\\b[a-zA-Z0-9][a-zA-Z0-9_.+-]{0,}@[a-zA-Z0-9][a-zA-Z0-9-.]{0,}\\.[a-zA-Z]{2,}\\b"
- except: someone@example.com
phone_number:
- regex: "(?u)\\b(1[ .-]?)?[2-9]\\d{2}[ .-]?\\d{3}[ .-]?\\d{4}\\b|(\\b1[ .-]?)?\\([2-9]\\d{2}\\)[ .-]?\\d{3}[ .-]?\\d{4}\\b"
address:
- regex: "(?i)\\b\\d{1,5} ([a-zA-Z0-9]+ ){0,5}(street|st|avenue|ave|boulevard|blvd|road|rd|route|rt|rte|sr|way|wy|highway|hwy|camino|broadway|parkway|pkwy|expressway|expy?|drive|dr|lane|ln|trail|alley|loop|court|circle|park|plaza|place|square|terrace|row|walk|cove|cv|run|path|pass|hollow|bend),?( [a-zA-Z0-9#,\\.]+){0,3}\\b"
phone_number_correlate:
- regex: "\\b[0-9]{10}\\b"
- correlate:
interest: primary
max_distance: 64
matches:
- raw_insensitive: phone
keywords:
- raw: "ssn"
- raw_insensitive: "phone"
any_1:
- regex: ".*"
any_2:
- regex: ".*"
services:
- services: "regex: .*"
ratelimits:
- grouping: per_service
by: service
filter:
any:
- peer_service: "cluster.local/default/cartservice"
- peer_service: "cluster.local/default/checkoutservice"
action: block
timespan_secs: 30
limit: 3000
- grouping: per_endpoint
by: ip
filter:
all:
- endpoint: "**/api/**"
- exclude_endpoint: "**/api/v1/health"
action: alert
timespan_secs: 60
limit: 750
- grouping: per_endpoint
by: ip
filter:
all:
- endpoint: "**/api/**"
- exclude_endpoint: "**/api/v1/health"
- exclude_token: exampleToken123
action: block
timespan_secs: 60
limit: 1500
endpoints:
- matches: "**"
config:
ssn:
action: !redact "REDACTED"
credit_card:
content_types: json
email:
content_types: html
phone_number: {}
address: {}
phone_number_correlate: {}
keywords: {}
any_1:
action: !redact ""
content_types: json
contexts:
- header: "content-type"
search: response_header
any_2:
contexts:
- header: "hello"
search: request_header
token_extractor:
location: request
header: "block_me"
regex: ".*"
hash: true
blocked_tokens:
- "9FC2BAB31B8C9738DAE5FEFBFF80B214011A7A317B75FC1AB352D17343F1166E"
blocked_ips:
- "124.201.111.27"
report_style: raw
rules:
- grouping: global
by: ip
filter:
all:
- response_outbound
- response_matches:
email: 1
phone_number: 1
name: "Potential Login Leak"
severity: immediate
action: alert
timespan_secs: 30
limit: 1
- grouping: per_service
by: outbound_service
filter:
all:
- response_outbound
- response_matches:
snn: 1
credit_card: 1
name: "High Sensitive Data Access"
severity: notable
action: alert
timespan_secs: 300
limit: 10
body_collection:
- mode: response_only
sample_rate: 1.0
filter:
all:
- response_outbound
- response_matches:
ssn: 20
phone_number: 10
- sample_rate: 1.0
max_body_collection_mb: 0.05
filter:
any:
- endpoint: "/form.html"
- endpoint: "/bigjson.html"
- mode: request_only
sample_rate: 1.0
filter:
request_matches:
ssn: 10
phone_number: 10