[Freeswitch-users] Per-channel fsctl loglevel?

Avi Marcus avi at avimarcus.net
Thu May 31 01:25:55 MSD 2012 

Mostly credit cards.. and anything you do with it, e.g. submit it via https
to authorize.net, stripe, etc where then you don't need the actual number
anymore.
So both the DTMF entry and the curl debug line. I can't think of anything
else in particular.

-Avi

On Wed, May 30, 2012 at 11:35 PM, Michael Collins <msc at freeswitch.org>wrote:

> Avi,
>
> Can you think of any other places where the FS logging in general might
> contain sensitive data? Reason I ask is that maybe we could create
> something like "pcidss=true" and then use that as a flag to disable logging
> anything that might be considered sensitive. Just a thought.
>
> -MC
>
>
> On Wed, May 30, 2012 at 1:29 PM, Avi Marcus <avi at avimarcus.net> wrote:
>
>> On Wed, May 30, 2012 at 11:18 PM, Michael Collins <msc at freeswitch.org>wrote:
>>
>>> How are you protecting everything else? If the XML CDR is sent over HTTP
>>> instead of HTTPS then everything about the call is plain text.
>>
>> As far as I know, the only thing sensitive in the xml_cdr is
>> digits_dialed.
>>
>>
>>> And what about the FS logs? Are you encrypting those somehow? It seems
>>> to me that you need a more comprehensive solution than just scrubbing a
>>> single channel variable.
>>>
>> No, I'm not encrypting them.. because t here wouldn't be anything
>> sensitive. As far as I can tell, the only issue is the DTMF in DEBUG and
>> the curl post message, again in DEBUG.
>> Since this is a lua IVR it seems nearly nothing else makes it into the
>> log. Only api:execute("curl",...) is in the log because it's not a native
>> direct curl command (like session:playandgetdigits())
>>
>>
>>> However, if you need an interim solution I would suggest commenting out
>>> the line that sets digits_dialed:
>>>
>>> http://fisheye.freeswitch.org/browse/freeswitch.git/src/switch_channel.c?r=HEAD#to3912
>>>
>>> A more permanent solution might be to create a channel variable that
>>> controls whether stuff like this gets logged. Something like
>>> "no_dtmf_logging=true" or whatever. That's a bit more involved because you
>>> have to decide if there are other places where DTMF info gets logged and if
>>> so, decide whether or not you want not to log them.
>>>
>> That's an interesting idea... it might be more encompassing to have a
>> loglevel=X channel variable instead that affects the logging for that
>> channel. But this is probably overkill...
>>
>>>
>>> What would be the ideal solution for your scenario? That answer might
>>> yield the best course of action.
>>> -MC
>>>
>>>
>>> On Wed, May 30, 2012 at 11:20 AM, Avi Marcus <avi at avimarcus.net> wrote:
>>>
>>>> The PCI-DSS (Payment Card Industry Data Security Standard) requires
>>>> encryption, not merely permission restriction, for sensitive data. Hence
>>>> I'm looking at the DTMF logging which can probably be easily re-patterned
>>>> back into the digits, the curl POST which also shows everything in the log,
>>>> the dialed_digits in a standard xml_cdr..
>>>> Otherwise, afaik, lua won't log things unless you explicitly tell it to.
>>>>
>>>> Any suggestions other than setting the entire switch to fsctl loglevel
>>>> 6 and not storing the xml_cdrs in their raw form?
>>>>
>>>> -Avi
>>>>
>>>> On Wed, May 30, 2012 at 8:11 PM, Michael Collins <msc at freeswitch.org>wrote:
>>>>
>>>>> If it's a compliance issue then I'd triple-check to make sure that no
>>>>> one unauthorized can get to any of your FS logs or CDR data. I suspect that
>>>>> logging vs. not logging dialed_digits is not a make-or-break proposition.
>>>>> If you're doing xml_cdrs then you've probably got that same data in other
>>>>> log lines.
>>>>>
>>>>> -MC
>>>>>
>>>>>
>>>>> On Wed, May 30, 2012 at 9:08 AM, Patrick Lists <
>>>>> freeswitch-list at puzzled.xs4all.nl> wrote:
>>>>>
>>>>>> On 30-05-12 17:48, Michael Collins wrote:
>>>>>> >     And.. similarly is there a way to blank out the var
>>>>>> digits_dialed in
>>>>>> >     the xml_cdr, from within FS, before the end of the call?
>>>>>> >
>>>>>> > Why do you need to clear it out? What information does it collect
>>>>>> that
>>>>>> > you don't need?
>>>>>>
>>>>>> Since it's credit card data I can imagine Avi does not want it logged
>>>>>> for security purposes.
>>>>>>
>>>>>> Regards,
>>>>>> Patrick
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> 
>>>>> 
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://wiki.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> Join Us At ClueCon - Aug 7-9, 2012
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> Join Us At ClueCon - Aug 7-9, 2012
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> Join Us At ClueCon - Aug 7-9, 2012
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> Join Us At ClueCon - Aug 7-9, 2012
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> Join Us At ClueCon - Aug 7-9, 2012
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120531/8243f16b/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list