[rancid] post-processing the diff listing before mailing?

Lee ler762 at gmail.com
Fri Oct 15 14:11:20 UTC 2010


On 10/12/10, john heasley <heas at shrubbery.net> wrote:
> Tue, Oct 12, 2010 at 05:22:42AM +0000, john heasley:
>> Wed, Sep 22, 2010 at 01:04:16PM -0400, Lee:
>> > Anyone like the idea of processing the diff listing before mailing it
>> > out?
>> >
>> > I'd rather have rancid collect the configs and not mess with them -
>> > ie: rancid.conf has
>> >   FILTER_PWDS=NO
>> >   NOCOMMSTR=NO
>> >   ACLSORT=NO
>> > but I don't want things like SNMP community strings or
>> > encrypted/obfuscated passwords being mailed out..  So my idea is
>> > post-processing the diff listing before emailing it out.  Which would
>> > also let me know which configs changed so I could check the new
>> > configs & mail out a 'local config standards violations' email :)
>> >
>> > The code is really ugly, but as a proof of concept..
>>
>> why not do this outside of rancid; mail it to a script that processes
>> it's input, such as you've done here, and emails the result to your
>> diff-receivers list.

Mainly because I'm not confident of my ability to get that working
correctly 100% of the time.  Adding another line or two to the
existing script seems much less error-prone :)

>  everyone can have their own flavor of diff
>> post-processing.
>
> btw, also see rancid-<vers>/share/rtrfilter.

Thanks for the pointer.  The problem I have with rtrfilter is that it
deletes lines & I want to know if something is added or changed, but I
don't want sensitive info mailed out.

here's my sanitize.sh - any suggestions for what else should be blanked out?
============
#!/bin/sh
# script to sanitize a ciscso config
#

awk '
/^Index: configs/ { if ( NR != 1) printf("\n\n\n") }
{
  # IOS stuph
  strip("key 7 ", "xXxXxX")
  strip("md5 7 ", "xXxXxX")
  strip("password 7 ", "xXxXxX")
  strip("secret 5 ", "xXxXxX")
  strip("snmp-server community ", "xXxXxX")
  strip("crypto isakmp key ", "xXxXxX")
  strip("tacacs-server key 7 ", "xXxXxX")

  # CatOS stuph
  strip("set password "  , "xXxXxX")
  strip("set enablepass ", "xXxXxX")
  strip("set snmp community read-only "     , "xXxXxX")
  strip("set snmp community read-write "    , "xXxXxX")
  strip("set snmp community read-write-all ", "xXxXxX")
  strip("set tacacs key ", "xXxXxX")

  print $0
}

func strip(s, r) {
  sub(s " *[^ ]*", s r, $0)
}
'  $1
=============

Thanks,
Lee


More information about the Rancid-discuss mailing list