Expand description
Command-line secret redaction.
Audit recorders that capture commands verbatim will faithfully store the
credentials that appear on a command line — DB connection strings, mysql -pSECRET, PGPASSWORD=…, bearer tokens. auditd does exactly this; tlog
disables input logging because of it. Kintsugi must not: the event log is
append-only and hash-chained (you can’t scrub it later), and the security
spine forbids secret values in the log (rule #6) while still preserving the
raw command (rule #3).
This module redacts only the value span of a detected credential, leaving the rest of the command verbatim and replacing the secret with a fixed marker. It is intentionally conservative — when in doubt it over-redacts — because a leaked secret in an immutable log is far worse than an over-redacted one. It does no I/O and is allocation-light so it can run on the capture hot path.
Tokenization is quote-aware: a quoted value (--password "pa ss word") is
a single token, so a multi-word secret is redacted whole — a per-whitespace
approach leaks the tail of every quoted credential.
It is best-effort pattern matching, not a guarantee: a novel flag can slip
through, and secrets typed at a sub-prompt (psql→\password) or inside a
here-doc body are out of scope. Pair it with operational guidance (use
.pgpass / secret stores) and a periodic log scan for stragglers.
Structs§
- Redaction
- The result of redacting a command line.
Constants§
- MARKER
- The placeholder a redacted value is replaced with. ASCII and unambiguous (not
<…>, which reads like a shell redirect). Frozen — it enters the canonical hash, so changing it would change every event hash.
Functions§
- redact_
command - Redact credentials that appear inline in a command line. Preserves the command’s structure and whitespace; only secret values are replaced.