[rancid] h3crancid doesn't filter passwords
ignasr at vault13.lt
ignasr at vault13.lt
Tue Feb 5 10:20:07 UTC 2013
On 2013.02.05 10:40, Jethro R Binks wrote:
> On Tue, 5 Feb 2013, ignasr at vault13.lt wrote:
>
>>> I have a bunch of updates to make to h3crancid at some point. If you can
>>> give me samples of the lines where you want the passwords removing and the
>>> context, I can take a look at incorporating them.
>>>
>>> Jethro.
>>
>> Thank you. It seems this was easier than I thought. Password ciphers can be
>> filtered with
>>
>> ###
>> --- h3crancid.o 2013-02-04 16:06:16.583056212 +0200
>> +++ h3crancid 2013-02-04 21:38:27.514053756 +0200
>> @@ -367,6 +367,12 @@
>> next;
>> }
>>
>> + # Filter password ciphers
>> + if (/^( password cipher )\S+$/ && $filter_pwds >= 2) {
>> + ProcessHistory("","","","$1<removed>$'");
>> + next;
>> + }
>> +
>> ProcessHistory("","","","$_");
>>
>> # end of config
>> ###
>>
>> And this is enough for me for the time being.
>
> I just looked, and the current version I am running has this:
>
> # Filter out some sensitive data:
> if (/^( ?snmp-agent community (read|write)) (\S+)/) {
> if ($filter_commstr) {
> ProcessHistory("", "", "", "!$1 <removed>$'");
> next;
> } else {
> ProcessHistory("", "", "", "$_");
> next;
> }
> }
>
> if (
> /^( ?super password( level \d)? (cipher|simple)) (\S+)/ ||
> /^( set authentication password (cipher|simple)) (\S+)/ ||
> /^( password (cipher|simple)) (\S+)/ ) {
> if ($filter_pwds >= 1) {
> ProcessHistory("", "", "", "! $1 <removed>$'");
> next;
> } else {
> ProcessHistory("", "", "", "$_");
> }
> }
>
> ProcessHistory("", "", "", "$_");
>
>
> Jethro.
Thank you for the snippet. I was using h3crancid from
https://sites.google.com/site/jrbinks/code/rancid/h3c which doesn't have
this code.
IgnasR
More information about the Rancid-discuss
mailing list