This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Nwtech copies private keys

MaximSiyazov1
Beginner
Beginner

‎2017-11-15 08:30 AM

Tech Support Data Gathering script (nwtech.sh), being widely used by the RSA technical support, it gathers lots of troubleshooting information including log and configuration files. However, it also takes PRIVATE KEYS of your puppet infrastructure.  The nwtech dump file is then made available to RSA stuff. Once the file uploaded to RSA it can be accessed by a lot of RSA people who is not intended to have access to this information. In Salesforce and Jira tickets these files can stay for ages and can be accessed by a lot of RSA people who is not intended to have access to this information, especially to have your private keys. To my understanding it is a serious security issue. The private keys should never leave a server, moreover these are not encrypted as well as a nwtech file by default is not encrypted neither. 

Apart of the puppet agent and mcollective communication these certificates are also used by the Rabbitmq to establish SSL connection.

The following files have been found in the nwtech dump:  

/etc/mcollective/ssl/mcollective_client_private.pem

/etc/mcollective/ssl/mcollective_server_private.pem

/var/lib/puppet/ssl/private_keys/*

/var/lib/puppet/ssl/ca/*

/var/lib/puppet/files/mcollective_server_private.pem

/var/lib/puppet/ssl/ca/private/ca.pass

I request the nwtech script to be updated in order to excluded these files. 

0 Likes
3 REPLIES 3

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-11-15 10:29 AM

Maxim,

 

The latest version of the nwtech script (nwtech-2017.10.13.sh) actually excludes the following from your list:

- /etc/mcollective/ssl/mcollective_client_private.pem
- /etc/mcollective/ssl/mcollective_server_private.pem

- /var/lib/puppet/ssl/ca/ca_key.pem
- /var/lib/puppet/ssl/ca/private (directory)
- /var/lib/puppet/ssl/private_keys (directory)

 

I will talk with the script owner to have the other items mentioned excluded from the nwtech script. Due RSA Netwitness Support addressing issues such as these it is very important that you are using the latest nwtech script whenever an output has been requested. The latest nwtech can always be found here: 000027758 - RSA NetWitness and RSA Security Analytics Tech Support Data Gathering Script

 

Please realize that the nwtech script is not updated when the RSA Netwitness software is updated. This nwtech script is created by Support to help us support our customers. As such any updates to the nwtech script must be downloaded from the provided link above.

MarcoDemonte
Occasional Contributor
Occasional Contributor

‎2017-11-15 11:02 AM

Hello Maxim,

I checked both older version (scriptver='2016.11.14') and newer version (scriptver='2017.10.13') of newtech script and I don't have the issue you are pointing out.

Sorry but I used them quite often with RSA support and I was a little bit worried by your post.

Are you sure that the script is downloaded correctly (and it is not corrupted somehow)?

 

Here is an extract of the script (identical in both version):

 

[...]

EXCLUDE=( /etc/init/control-alt-delete.conf
/etc/init/init-system-dbus.conf
/etc/init/kexec-disable.conf
/etc/init/plymouth-shutdown.conf
/etc/init/prefdm.conf
/etc/init/quit-plymouth.conf
/etc/init/serial.conf
/etc/init/splash-manager.conf
/etc/init/start-ttys.conf
/etc/init/tty.conf
/etc/mcollective/ssl/mcollective_client_private.pem
/etc/mcollective/ssl/mcollective_server_private.pem

[...] 

 

I've run the new version on one of my servers and I don't have any "private key" inside the bz2 archive created by it.

I hope this could help.

 

Bert regards

Marco

MaximSiyazov1
Beginner
Beginner
In response to JohnKisner

‎2017-11-15 01:37 PM

Thanks for that. It sounds better.

I can see what's wrong here. It is a shame that nwtech tool comes out of the box (incorporated into the 10.6 buildstick I believe). Just because of that fact I was wrongly under impression it should be part of the SA upgrading packages. 

The out of the box nwtech.sh is under /usr/sbin/, which is on the PATH variable. It is version 2015.04.27. 

I just ran the version 2017.10.13 on the SA server. It still includes /var/lib/puppet/files/mcollective_server_private.pem. I am also concerned about the file /opt/rsa/im/nodeSecret. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.