NAME

Log::Scrubber - Perl extension to avoid logging sensitive data

SYNOPSIS

  use Log::Scrubber;             # Override warn() and die() and import scrubber_init()
  use Log::Scrubber qw(:all);    # Override everything this module knows
  use Log::Scrubber qw(:Carp);   # Only override Carp methods
  use Log::Scrubber qw(:Syslog); # Only override syslog()
  use Log::Scrubber qw(scrubber);# scrubber() for use on your own
  use Log::Scrubber qw(+Custom::Method);# Override any perl method

  use Log::Scrubber qw($SCRUBBER :Carp +My::Logs); # Or combine a few

  Example:

    use Log::Scrubber;
    scrubber_init( { '4007000000027' => 'DELETED' } );
    warn "The card number is 4007000000027.\n";

  Output:

    The card number is DELETED.

DESCRIPTION

As required by the PCI Security Standards Council, some data is not acceptable to send to log files. Most notably CVV data. However it is simply a matter of time before a developer accidentally (or on purpose) logs sensitive data to the error_log, or some other inappropriate location.

This module is a solution for this vulnerability. It allows you to create a single location for redaction. What it does is very simple: It replaces occurrences of the your sensitive data in the output of any common logging mechanism such as use warnings, warn, use Carp and die with an acceptable alternative provided by you.

It does so by overriding the functions with a safer alternative so that no code needs to be changed.

Note that in order for this protection to be effective, this module must be used as the last module (ie, after all the modules it can override) in order for proper method replacement to occur.

The protection can also be invoked by the scrubber method, which takes a list of arguments and returns the same list, with all data safely replaced. This method is provided so that you can call it by yourself.

Typically, you will want to issue an use Log::Scrubber qw(:all) after the last module is used in your code, to automatically benefit from the most common level of protection.

Note: If you are using $SIG{__WARN__} and $SIG{__DIE__} then you must call scrubber_init() or set $SCRUBBER=1 afterward to maintain full protection.

METHODS

Additional methods created by this package.

scrubber_init

    Both adds scrubbers to your list, and enables Log::Scrubber

    scrubber_init( { # Initialize the scrubber.
      $ereg1 => $replacementText,
      $ereg2 => $rep2,
      $key1  => sub { my ($key,$val) = @_; $val++; return $val; },
      $key2  => sub { my ($key,$val) = @_; $val =~ s/1/2/; return $val; },
      } )

scrubber_start

    Enables scrubbing by overriding all configured methods/signals.

    scrubber_start();
    # or
    $SCRUBBER = 1;

scrubber_stop

    Disables scrubbing by removing the method/signal overrides.  When disabled your scripts should function exactly as if Log::Scrubber was never installed.

    scrubber_stop();
    # or
    $SCRUBBER = 0;

scrubber_add_scrubber

    Add a new regular expression, or coderef scrubber.  This follows the same format as init_scrubber()

    scrubber_add_scrubber({$ereg=>$replaceTxt});

scrubber_remove_scrubber

    Remove a previously added scrubber.

    scrubber_remove_scrubber({$ereg=>$replaceTxt});

scrubber

    Allows manual use of the scrubber

    @clean = scrubber( @dirty );
    $clean = scrubber $clean;

scrubber_enabled

    if (scrubber_enabled()) { print "Yes it is\n"; }
    # or
    if ($SCRUBBER) { print "Yes it is\n"; }

scrubber_add_signal

scrubber_remove_signal

    scrubber_add_signal('__WARN__');

scrubber_add_method

scrubber_remove_method

    scrubber_add_method('Carp::croak');

scrubber_add_package

scrubber_remove_package

    # Use with caution, it overrides EVERYTHING in the package.  It's usually better to override methods with scrubber_add_method.

    scrubber_add_package('Carp');

LOCAL SCOPING

The scrubber can be locally modified.

  use Log::Scrubber qw($SCRUBBER);
  # setup the scrubber
  {
    local $SCRUBBER;
    # modify scrubber as needed
  }
  # scrubber is now restored back to what it was

EXPORT

Many. The methods are exported or overridden according to this

  $SIG{__WARN__}     - Always overridden
  $SIG{__DIE__}      - Always overridden
  warnings::warn()   - Always overridden
  warnings::warnif() - Always overridden

  Carp::croak()      - Only exported with :Carp or :all
  Carp::carp()       - Only exported with :Carp or :all
  Carp::confess()    - Only exported with :Carp or :all
  Carp::cluck()      - Only exported with :Carp or :all

  main::syslog()     - Only exported with :Syslog or :all

  Custom::method()   - Custom methods can also be overridden.

AUTHOR

Jason Terry <oaxlin@cpan.org>

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)