[Freeswitch-users] Per-channel fsctl loglevel?

Michael Collins msc at freeswitch.org
Thu May 31 00:35:34 MSD 2012 

Avi,

Can you think of any other places where the FS logging in general might
contain sensitive data? Reason I ask is that maybe we could create
something like "pcidss=true" and then use that as a flag to disable logging
anything that might be considered sensitive. Just a thought.

-MC

On Wed, May 30, 2012 at 1:29 PM, Avi Marcus <avi at avimarcus.net> wrote:

> On Wed, May 30, 2012 at 11:18 PM, Michael Collins <msc at freeswitch.org>wrote:
>
>> How are you protecting everything else? If the XML CDR is sent over HTTP
>> instead of HTTPS then everything about the call is plain text.
>
> As far as I know, the only thing sensitive in the xml_cdr is digits_dialed.
>
>
>> And what about the FS logs? Are you encrypting those somehow? It seems to
>> me that you need a more comprehensive solution than just scrubbing a single
>> channel variable.
>>
> No, I'm not encrypting them.. because t here wouldn't be anything
> sensitive. As far as I can tell, the only issue is the DTMF in DEBUG and
> the curl post message, again in DEBUG.
> Since this is a lua IVR it seems nearly nothing else makes it into the
> log. Only api:execute("curl",...) is in the log because it's not a native
> direct curl command (like session:playandgetdigits())
>
>
>> However, if you need an interim solution I would suggest commenting out
>> the line that sets digits_dialed:
>>
>> http://fisheye.freeswitch.org/browse/freeswitch.git/src/switch_channel.c?r=HEAD#to3912
>>
>> A more permanent solution might be to create a channel variable that
>> controls whether stuff like this gets logged. Something like
>> "no_dtmf_logging=true" or whatever. That's a bit more involved because you
>> have to decide if there are other places where DTMF info gets logged and if
>> so, decide whether or not you want not to log them.
>>
> That's an interesting idea... it might be more encompassing to have a
> loglevel=X channel variable instead that affects the logging for that
> channel. But this is probably overkill...
>
>>
>> What would be the ideal solution for your scenario? That answer might
>> yield the best course of action.
>> -MC
>>
>>
>> On Wed, May 30, 2012 at 11:20 AM, Avi Marcus <avi at avimarcus.net> wrote:
>>
>>> The PCI-DSS (Payment Card Industry Data Security Standard) requires
>>> encryption, not merely permission restriction, for sensitive data. Hence
>>> I'm looking at the DTMF logging which can probably be easily re-patterned
>>> back into the digits, the curl POST which also shows everything in the log,
>>> the dialed_digits in a standard xml_cdr..
>>> Otherwise, afaik, lua won't log things unless you explicitly tell it to.
>>>
>>> Any suggestions other than setting the entire switch to fsctl loglevel 6
>>> and not storing the xml_cdrs in their raw form?
>>>
>>> -Avi
>>>
>>> On Wed, May 30, 2012 at 8:11 PM, Michael Collins <msc at freeswitch.org>wrote:
>>>
>>>> If it's a compliance issue then I'd triple-check to make sure that no
>>>> one unauthorized can get to any of your FS logs or CDR data. I suspect that
>>>> logging vs. not logging dialed_digits is not a make-or-break proposition.
>>>> If you're doing xml_cdrs then you've probably got that same data in other
>>>> log lines.
>>>>
>>>> -MC
>>>>
>>>>
>>>> On Wed, May 30, 2012 at 9:08 AM, Patrick Lists <
>>>> freeswitch-list at puzzled.xs4all.nl> wrote:
>>>>
>>>>> On 30-05-12 17:48, Michael Collins wrote:
>>>>> >     And.. similarly is there a way to blank out the var
>>>>> digits_dialed in
>>>>> >     the xml_cdr, from within FS, before the end of the call?
>>>>> >
>>>>> > Why do you need to clear it out? What information does it collect
>>>>> that
>>>>> > you don't need?
>>>>>
>>>>> Since it's credit card data I can imagine Avi does not want it logged
>>>>> for security purposes.
>>>>>
>>>>> Regards,
>>>>> Patrick
>>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> Join Us At ClueCon - Aug 7-9, 2012
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> Join Us At ClueCon - Aug 7-9, 2012
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> Join Us At ClueCon - Aug 7-9, 2012
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> Join Us At ClueCon - Aug 7-9, 2012
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120530/826f3f38/attachment.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list