Document UniFi baseline secret leak guardrails

This commit is contained in:
Doris
2026-05-22 20:58:41 +00:00
parent 5f56fe75d8
commit c2c71cfe57
6 changed files with 145 additions and 609 deletions

View File

@@ -0,0 +1,76 @@
# Incident: UniFi Baseline Secret Leak (2026-05-22)
## Summary
A raw UniFi baseline export was committed to the main `truenas-stacks` repo during the May 22, 2026 network-cutover documentation pass. GitGuardian later flagged three secret leaks in the latest commits.
The leaked material came from a controller export artifact, not from a normal `.env` file.
## What leaked
The committed file contained three WireGuard secrets in `home/doris-dashboard/docs/baselines/unifi-object-baseline-2026-05-22-024653.json`:
1. an embedded `wireguard_client_configuration_file` containing a `PrivateKey = ...`
2. one `x_wireguard_private_key`
3. another `x_wireguard_private_key`
## How it happened
The failure mode was:
1. a read-only UniFi object baseline was captured to support cautious cutover work
2. the export was saved as a raw JSON artifact under `home/doris-dashboard/docs/baselines/`
3. that raw export was treated like a harmless recon artifact and committed alongside other network redesign docs
4. the export included VPN/WireGuard fields that are safe for controller runtime but unsafe for a git-tracked documentation repo
5. GitGuardian detected the leaked keys after push
## Root cause
This was a process failure, not a git-crypt failure.
The repo already had rules for `.env` secrets, but not a strong enough rule for **controller exports / diagnostic baselines / machine snapshots** that may embed secrets even when they are not named `.env`.
In short:
- we protected the usual secret files
- we did **not** treat raw infrastructure exports as secret-bearing by default
## Remediation completed
The following remediation was performed:
- the leaked values were removed from the working tree
- git history was rewritten to purge the exact leaked values
- cleaned history was force-pushed to both `origin` and `github`
- raw JSON baseline exports under `home/doris-dashboard/docs/baselines/` were moved out of the main repo policy
- the repo now documents that only sanitized summaries or explicitly redacted artifacts belong in the main repo
## New permanent rules
1. **Raw controller/API exports do not belong in the main repo.**
- Examples: UniFi `networkconf`, `portconf`, full appliance JSON dumps, diagnostic snapshots, vendor backups, tunnel/client config exports.
2. **Assume machine exports are secret-bearing until proven otherwise.**
- If it came from a controller or appliance, inspect it like a secret file.
3. **Only commit one of these:**
- a markdown summary
- a purpose-built redacted JSON artifact
- a generated diff with secret-bearing keys removed
4. **Before committing infra artifacts, scan them explicitly.**
- Look for terms like `private_key`, `wireguard`, `token`, `secret`, `password`, `Authorization`, `cookie`, `client_secret`.
5. **If raw export retention is required, store it outside the main repo.**
- Prefer the encrypted secrets repo or another non-public operator-only location.
6. **If a secret-bearing export is committed, treat it as an incident.**
- redact/remove from current tree
- rewrite history
- force-push
- rotate live credentials/keys as appropriate
## Operator follow-up still recommended
History cleanup fixed the repo exposure. If any leaked WireGuard keys were active in production at the time of exposure, rotate them deliberately and update affected clients.
## Prevent-recurrence checklist
- [ ] raw exports ignored by default in the repo path where they are commonly captured
- [ ] incident documented in `SECRETS_MANAGEMENT.md`
- [ ] dashboard baseline directory has a README explaining what may and may not be committed
- [ ] future cutover notes point to sanitized summaries rather than raw exports

View File

@@ -206,6 +206,39 @@ On a fresh PD after reinstalling TrueNAS:
---
## Controller Export / Baseline Artifact Rules
Raw infrastructure exports must be treated as potentially secret-bearing even when they are not `.env` files.
Examples:
- UniFi `networkconf` / `portconf` dumps
- firewall/router/controller JSON exports
- VPN client or server config exports
- diagnostic snapshots taken from appliances or operator APIs
### Permanent rules
- Do **not** commit raw controller or appliance exports to the main repo.
- Commit only sanitized markdown summaries or explicitly redacted artifacts.
- If raw retention is needed, store the export in the encrypted secrets repo or another operator-only location outside the main repo.
- Before committing infra artifacts, scan for obvious secret-bearing keys such as:
- `private_key`
- `wireguard`
- `token`
- `secret`
- `password`
- `Authorization`
- `cookie`
- `client_secret`
### Incident reference
A real leak occurred on 2026-05-22 when a raw UniFi baseline export under `home/doris-dashboard/docs/baselines/` was committed with embedded WireGuard secrets.
See:
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
- `home/doris-dashboard/docs/baselines/README.md`
## Security Reminders
- **Key backup**: `C:\Users\Fizzlepoof\Downloads\.git-crypt-secrets.key` — also store in password manager