000038240 - How to obfuscate sensitive information(ip address, hostname and MAC) from sosreport in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Dec 20, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038240
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Issue

Some customer does not want to provide the output of sosreport or nwtech dump, because it has potentially sensitive information like ip address, MAC and host/domain name.
SOSCleaner is a tool to consistently obfuscate sensitive information in large datasets like Red Hat sosreports. It works on any dataset, from 1 file to thousands.
For more information, refer to the following documents.
Github: https://github.com/soscleaner/soscleaner
SOSCleaner documentation: https://soscleaner.readthedocs.io/en/latest/

TasksPython-magic, ipaddr packages are must be installed before installing the Soscleaner.
I attached the package files on this document.

# tar xvzf ipaddr-2.2.0.tar.gz
# cd ipaddr-2.2.0
# chmod 755 setup.py
# ./setup.py install

# tar xvzf python-magic-0.4.15.tar.gz
# cd python-magic-0.4.15
# chmod 755 setup.py
# ./setup.py install

# tar xvzf soscleaner-0.3.93.tar.gz
# cd soscleaner-0.3.93
# chmod 755 setup.py
# ./setup.py install
Resolution
  1. Go to the sosreport output directory and run the soscleaner.

    And copy the log file name. (in the following example, /tmp/soscleaner-xxxxxxxxxxxxxxx.log)




    # cd /var/tmp/sos.CioOkc/
    # soscleaner sosreport-sa-server-xxxxxxxxxxxxxxx.tar.xz
    ERROR:root:code for hash md5 was not found.
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/hashlib.py", line 129, in <module>
        globals()[__func_name] = __get_hash(__func_name)
      File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor
        f(usedforsecurity=False)
    ValueError: error:3207A06D:lib(50):B_HASH_init:cr new
    02-16 16:21:25 soscleaner CONSOLE: Log File Created at /tmp/soscleaner-xxxxxxxxxxxxxxx.log
    CONSOLE:soscleaner:Log File Created at /tmp/soscleaner-xxxxxxxxxxxxxxx.log



    *Note: NetWitness 11.x version has a problem with creating the /tmp/soscleaner-*.log file, so you must create the log file manually right after you run the soscleaner.


     
  2. Open a new ssl console and create the log file right after running the soscleaner.

    # touch /tmp/soscleaner-xxxxxxxxxxxxxxx.log



    *Note: If you do not create the above log file, soscleaner could not complete the job with following error message.



    OSError: [Errno 2] No such file or directory: '/tmp/soscleaner-2711957584681717.log'
    # gunzip soscleaner-2711957584681717.tar.gz
    gzip: soscleaner-2711957584681717.tar.gz: unexpected end of file 

     
  3. After finish the soscleaner, output files are in the /tmp directory. soscleaner-*.tar.gz has data with obfuscate information and the mappings are recorded in each csv file.

    # ls -al | grep sos
    -rw-r--r--.   1 root       root            229 Feb 16 16:33 soscleaner-1845103887629427-dn.csv
    -rw-r--r--.   1 root       root            202 Feb 16 16:33 soscleaner-1845103887629427-hostname.csv
    -rw-r--r--.   1 root       root           3288 Feb 16 16:33 soscleaner-1845103887629427-ip.csv
    -rw-r--r--.   1 root       root              0 Feb 16 16:28 soscleaner-1845103887629427.log
    -rw-r--r--.   1 root       root            594 Feb 16 16:33 soscleaner-1845103887629427-mac.csv
    -rw-r--r--.   1 root       root       22249438 Feb 16 16:33 soscleaner-1845103887629427.tar.gz
    -rw-r--r--.   1 root       root             59 Feb 16 16:33 soscleaner-1845103887629427-username.csv


     

Outcomes