Document UniFi baseline secret leak guardrails
This commit is contained in:
@@ -0,0 +1,76 @@
|
||||
# Incident: UniFi Baseline Secret Leak (2026-05-22)
|
||||
|
||||
## Summary
|
||||
|
||||
A raw UniFi baseline export was committed to the main `truenas-stacks` repo during the May 22, 2026 network-cutover documentation pass. GitGuardian later flagged three secret leaks in the latest commits.
|
||||
|
||||
The leaked material came from a controller export artifact, not from a normal `.env` file.
|
||||
|
||||
## What leaked
|
||||
|
||||
The committed file contained three WireGuard secrets in `home/doris-dashboard/docs/baselines/unifi-object-baseline-2026-05-22-024653.json`:
|
||||
|
||||
1. an embedded `wireguard_client_configuration_file` containing a `PrivateKey = ...`
|
||||
2. one `x_wireguard_private_key`
|
||||
3. another `x_wireguard_private_key`
|
||||
|
||||
## How it happened
|
||||
|
||||
The failure mode was:
|
||||
|
||||
1. a read-only UniFi object baseline was captured to support cautious cutover work
|
||||
2. the export was saved as a raw JSON artifact under `home/doris-dashboard/docs/baselines/`
|
||||
3. that raw export was treated like a harmless recon artifact and committed alongside other network redesign docs
|
||||
4. the export included VPN/WireGuard fields that are safe for controller runtime but unsafe for a git-tracked documentation repo
|
||||
5. GitGuardian detected the leaked keys after push
|
||||
|
||||
## Root cause
|
||||
|
||||
This was a process failure, not a git-crypt failure.
|
||||
|
||||
The repo already had rules for `.env` secrets, but not a strong enough rule for **controller exports / diagnostic baselines / machine snapshots** that may embed secrets even when they are not named `.env`.
|
||||
|
||||
In short:
|
||||
- we protected the usual secret files
|
||||
- we did **not** treat raw infrastructure exports as secret-bearing by default
|
||||
|
||||
## Remediation completed
|
||||
|
||||
The following remediation was performed:
|
||||
|
||||
- the leaked values were removed from the working tree
|
||||
- git history was rewritten to purge the exact leaked values
|
||||
- cleaned history was force-pushed to both `origin` and `github`
|
||||
- raw JSON baseline exports under `home/doris-dashboard/docs/baselines/` were moved out of the main repo policy
|
||||
- the repo now documents that only sanitized summaries or explicitly redacted artifacts belong in the main repo
|
||||
|
||||
## New permanent rules
|
||||
|
||||
1. **Raw controller/API exports do not belong in the main repo.**
|
||||
- Examples: UniFi `networkconf`, `portconf`, full appliance JSON dumps, diagnostic snapshots, vendor backups, tunnel/client config exports.
|
||||
2. **Assume machine exports are secret-bearing until proven otherwise.**
|
||||
- If it came from a controller or appliance, inspect it like a secret file.
|
||||
3. **Only commit one of these:**
|
||||
- a markdown summary
|
||||
- a purpose-built redacted JSON artifact
|
||||
- a generated diff with secret-bearing keys removed
|
||||
4. **Before committing infra artifacts, scan them explicitly.**
|
||||
- Look for terms like `private_key`, `wireguard`, `token`, `secret`, `password`, `Authorization`, `cookie`, `client_secret`.
|
||||
5. **If raw export retention is required, store it outside the main repo.**
|
||||
- Prefer the encrypted secrets repo or another non-public operator-only location.
|
||||
6. **If a secret-bearing export is committed, treat it as an incident.**
|
||||
- redact/remove from current tree
|
||||
- rewrite history
|
||||
- force-push
|
||||
- rotate live credentials/keys as appropriate
|
||||
|
||||
## Operator follow-up still recommended
|
||||
|
||||
History cleanup fixed the repo exposure. If any leaked WireGuard keys were active in production at the time of exposure, rotate them deliberately and update affected clients.
|
||||
|
||||
## Prevent-recurrence checklist
|
||||
|
||||
- [ ] raw exports ignored by default in the repo path where they are commonly captured
|
||||
- [ ] incident documented in `SECRETS_MANAGEMENT.md`
|
||||
- [ ] dashboard baseline directory has a README explaining what may and may not be committed
|
||||
- [ ] future cutover notes point to sanitized summaries rather than raw exports
|
||||
@@ -206,6 +206,39 @@ On a fresh PD after reinstalling TrueNAS:
|
||||
|
||||
---
|
||||
|
||||
## Controller Export / Baseline Artifact Rules
|
||||
|
||||
Raw infrastructure exports must be treated as potentially secret-bearing even when they are not `.env` files.
|
||||
|
||||
Examples:
|
||||
- UniFi `networkconf` / `portconf` dumps
|
||||
- firewall/router/controller JSON exports
|
||||
- VPN client or server config exports
|
||||
- diagnostic snapshots taken from appliances or operator APIs
|
||||
|
||||
### Permanent rules
|
||||
|
||||
- Do **not** commit raw controller or appliance exports to the main repo.
|
||||
- Commit only sanitized markdown summaries or explicitly redacted artifacts.
|
||||
- If raw retention is needed, store the export in the encrypted secrets repo or another operator-only location outside the main repo.
|
||||
- Before committing infra artifacts, scan for obvious secret-bearing keys such as:
|
||||
- `private_key`
|
||||
- `wireguard`
|
||||
- `token`
|
||||
- `secret`
|
||||
- `password`
|
||||
- `Authorization`
|
||||
- `cookie`
|
||||
- `client_secret`
|
||||
|
||||
### Incident reference
|
||||
|
||||
A real leak occurred on 2026-05-22 when a raw UniFi baseline export under `home/doris-dashboard/docs/baselines/` was committed with embedded WireGuard secrets.
|
||||
|
||||
See:
|
||||
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
|
||||
- `home/doris-dashboard/docs/baselines/README.md`
|
||||
|
||||
## Security Reminders
|
||||
|
||||
- **Key backup**: `C:\Users\Fizzlepoof\Downloads\.git-crypt-secrets.key` — also store in password manager
|
||||
|
||||
Reference in New Issue
Block a user