Data Loss Prevention
Data Loss Prevention (DLP) can target both mistakes made by users (leaving a password in a config file) but also malicious users trying to exfiltrate secret information.
Leaking Secrets
Users can transfer data to other sites by pasting the clipboard, or dragging / selecting files. Citadel uses Gitleaks to detect secrets, such as API keys, certificate or tokens. After the operation is performed, Citadel will warn the user of the risks, and tell them to sanitize the secrets and perform to paste, drag or select again. If possible, Citadel will propose to sanitize the clipboard for the user.
dlp.leaking.levelby default the events are logged asWARN; levelNEVERdisables the controldlp.leaking.warnProtectedDLP is also checked for protected domainsdlp.leaking.ruleslocation of file containing secrets-matching rules, Gitleaks repository by defaultdlp.leaking.freqfrequency (in hours) that rules are refreshed
"dlp": {
"leaking": {
"level": "WARN",
"warnProtected": true,
"rules": 'https://raw.githubusercontent.com/gitleaks/gitleaks/master/config/gitleaks.toml',
"freq": 24,
},
}
In order to prevent alert fatigue, it is important to exclude applications where users often legitimately upload secrets. Using the dlp.leaking.domains key you can include or exclude specific domains:
"dlp": {
"leaking": {
"domains": ["-*.application.com"],
},
}