Skip to content
  • There are no suggestions because the search field is empty.

How to obfuscate sensitive information(ip address, hostname and MAC) from sosreport in NetWitness

Issue

Some customer does not want to provide the output of sosreport or nwtech dump, because it has potentially sensitive information like ip address, MAC and host/domain name.

SOSCleaner is a tool to consistently obfuscate sensitive information in large datasets like Red Hat sosreports. It works on any dataset, from 1 file to thousands.

For more information, refer to the following documents.
Github: https://github.com/soscleaner/soscleaner
SOSCleaner documentation: https://soscleaner.readthedocs.io/en/latest/


Tasks

Python-magic, ipaddr packages are must be installed before installing the Soscleaner.
I attached the package files on this document.
# tar xvzf ipaddr-2.2.0.tar.gz
# cd ipaddr-2.2.0
# chmod 755 setup.py
# ./setup.py install

# tar xvzf python-magic-0.4.15.tar.gz
# cd python-magic-0.4.15
# chmod 755 setup.py
# ./setup.py install

# tar xvzf soscleaner-0.3.93.tar.gz
# cd soscleaner-0.3.93
# chmod 755 setup.py
# ./setup.py install

Resolution

  1. Go to the sosreport output directory and run the soscleaner.

    And copy the log file name. (in the following example, /tmp/soscleaner-xxxxxxxxxxxxxxx.log)

    # cd /var/tmp/sos.CioOkc/
    # soscleaner sosreport-sa-server-xxxxxxxxxxxxxxx.tar.xz
    ERROR:root:code for hash md5 was not found.
    Traceback (most recent call last):
    File "/usr/lib64/python2.7/hashlib.py", line 129, in <module>
    globals()[__func_name] = __get_hash(__func_name)
    File "/usr/lib64/python2.7/hashlib.py", line 98, in __get_openssl_constructor
    f(usedforsecurity=False)
    ValueError: error:3207A06D:lib(50):B_HASH_init:cr new
    02-16 16:21:25 soscleaner CONSOLE: Log File Created at /tmp/soscleaner-xxxxxxxxxxxxxxx.log
    CONSOLE:soscleaner:Log File Created at /tmp/soscleaner-xxxxxxxxxxxxxxx.log
    *Note: NetWitness 11.x version has a problem with creating the /tmp/soscleaner-*.log file, so you must create the log file manually right after you run the soscleaner.

     
  2. Open a new ssl console and create the log file right after running the soscleaner.
    # touch /tmp/soscleaner-xxxxxxxxxxxxxxx.log
    *Note: If you do not create the above log file, soscleaner could not complete the job with following error message.
    OSError: [Errno 2] No such file or directory: '/tmp/soscleaner-2711957584681717.log'
    # gunzip soscleaner-2711957584681717.tar.gz
    gzip: soscleaner-2711957584681717.tar.gz: unexpected end of file 
     
  3. After finish the soscleaner, output files are in the /tmp directory. soscleaner-*.tar.gz has data with obfuscate information and the mappings are recorded in each csv file.
    # ls -al | grep sos
    -rw-r--r--.   1 root       root            229 Feb 16 16:33 soscleaner-1845103887629427-dn.csv
    -rw-r--r--.   1 root       root            202 Feb 16 16:33 soscleaner-1845103887629427-hostname.csv
    -rw-r--r--.   1 root       root           3288 Feb 16 16:33 soscleaner-1845103887629427-ip.csv
    -rw-r--r--.   1 root       root              0 Feb 16 16:28 soscleaner-1845103887629427.log
    -rw-r--r--.   1 root       root            594 Feb 16 16:33 soscleaner-1845103887629427-mac.csv
    -rw-r--r--.   1 root       root       22249438 Feb 16 16:33 soscleaner-1845103887629427.tar.gz
    -rw-r--r--.   1 root       root             59 Feb 16 16:33 soscleaner-1845103887629427-username.csv

     

Notes

Archiving because the sosreport functionality we include has this built in now:

Cleaner/Masking Options:
These options control how data obfuscation is performed

--clean, --cleaner, --mask
Obfuscate sensitive information
--domains DOMAINS Additional domain names to obfuscate
--disable-parsers DISABLE_PARSERS
Disable specific parsers, so that those elements are
not obfuscated
--skip-cleaning-files SKIP_CLEAN_FILES, --skip-masking-files SKIP_CLEAN_FILES
List of files to skip/ignore during cleaning. Globs
are supported.
--keywords KEYWORDS List of keywords to obfuscate
--keyword-file KEYWORD_FILE
Provide a file a keywords to obfuscate
--no-update Do not update the default cleaner map
--map-file MAP_FILE Provide a previously generated mapping file for
obfuscation
--keep-binary-files Keep unprocessable binary files in the archive instead
of removing them
--usernames USERNAMES
List of usernames to obfuscate

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x

Summary

How to obfuscate sensitive information(ip address, hostname and MAC) from sosreport


Approval Reviewer Queue

Technical approval queue