AnsweredAssumed Answered

Nwtech copies private keys

Question asked by Maxim Siyazov on Nov 15, 2017
Latest reply on Nov 15, 2017 by Maxim Siyazov

Tech Support Data Gathering script (nwtech.sh), being widely used by the RSA technical support, it gathers lots of troubleshooting information including log and configuration files. However, it also takes PRIVATE KEYS of your puppet infrastructure.  The nwtech dump file is then made available to RSA stuff. Once the file uploaded to RSA it can be accessed by a lot of RSA people who is not intended to have access to this information. In Salesforce and Jira tickets these files can stay for ages and can be accessed by a lot of RSA people who is not intended to have access to this information, especially to have your private keys. To my understanding it is a serious security issue. The private keys should never leave a server, moreover these are not encrypted as well as a nwtech file by default is not encrypted neither. 

Apart of the puppet agent and mcollective communication these certificates are also used by the Rabbitmq to establish SSL connection.

 

The following files have been found in the nwtech dump:  

 

/etc/mcollective/ssl/mcollective_client_private.pem

/etc/mcollective/ssl/mcollective_server_private.pem

/var/lib/puppet/ssl/private_keys/*

/var/lib/puppet/ssl/ca/*

/var/lib/puppet/files/mcollective_server_private.pem

/var/lib/puppet/ssl/ca/private/ca.pass

 

I request the nwtech script to be updated in order to excluded these files. 

Outcomes