[rancid] h3crancid doesn't filter passwords
Jethro R Binks
jethro.binks at strath.ac.uk
Tue Feb 5 08:40:29 UTC 2013
On Tue, 5 Feb 2013, ignasr at vault13.lt wrote:
> > I have a bunch of updates to make to h3crancid at some point. If you can
> > give me samples of the lines where you want the passwords removing and the
> > context, I can take a look at incorporating them.
> >
> > Jethro.
>
> Thank you. It seems this was easier than I thought. Password ciphers can be
> filtered with
>
> ###
> --- h3crancid.o 2013-02-04 16:06:16.583056212 +0200
> +++ h3crancid 2013-02-04 21:38:27.514053756 +0200
> @@ -367,6 +367,12 @@
> next;
> }
>
> + # Filter password ciphers
> + if (/^( password cipher )\S+$/ && $filter_pwds >= 2) {
> + ProcessHistory("","","","$1<removed>$'");
> + next;
> + }
> +
> ProcessHistory("","","","$_");
>
> # end of config
> ###
>
> And this is enough for me for the time being.
I just looked, and the current version I am running has this:
# Filter out some sensitive data:
if (/^( ?snmp-agent community (read|write)) (\S+)/) {
if ($filter_commstr) {
ProcessHistory("", "", "", "!$1 <removed>$'");
next;
} else {
ProcessHistory("", "", "", "$_");
next;
}
}
if (
/^( ?super password( level \d)? (cipher|simple)) (\S+)/ ||
/^( set authentication password (cipher|simple)) (\S+)/ ||
/^( password (cipher|simple)) (\S+)/ ) {
if ($filter_pwds >= 1) {
ProcessHistory("", "", "", "! $1 <removed>$'");
next;
} else {
ProcessHistory("", "", "", "$_");
}
}
ProcessHistory("", "", "", "$_");
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
More information about the Rancid-discuss
mailing list