[rancid] h3crancid doesn't filter passwords
Kevin Bonner
kbonner at gmail.com
Thu Mar 7 20:10:48 UTC 2013
*newly subscribed... sorry for the missing message IDs*
I've recently setup rancid to monitor several HP A5120 switches and ran into
this same issue.
My diff for h3crancid is:
--- /home/keb/tmp/h3crancid 2013-03-07 14:57:09.574706088 -0500
+++ ./h3crancid 2013-02-28 11:40:31.725587845 -0500
@@ -361,9 +361,16 @@
# s/\s*---- More ----\s*//;
# Filter out some sensitive data:
- if (/^( ?snmp-agent community (read|write) )(\S+)/ &&
- $filter_commstr == 0) {
- ProcessHistory("","","","!$1<removed>$'");
+ if (/^( ?snmp-agent community (read|write) )(\S+)/ && $filter_commstr) {
+ ProcessHistory("","","","#$1<removed>$'");
+ next;
+ }
+ if (/^( ?password (?:simple|cipher) )(.*)$/ && $filter_pwds >= 1) {
+ ProcessHistory("","","","#$1<removed>$'");
+ next;
+ }
+ if (/^( ?key (?:authentication|accounting) )(.*)$/ && $filter_pwds >= 1) {
+ ProcessHistory("","","","#$1<removed>$'");
next;
}
This diff hides the SNMP community string if requested, hides the user
passwords (both types!), and also hides RADIUS keys. On the HP A5120 switch,
the pound symbol represents a comment line. Not sure if the other models
covered by this script have that same behavior.
Jethro, if you need someone to test future changes, feel free to contact me.
Cheers,
-Kevin
On 2013.02.04 23:23, Jethro R Binks wrote:
> > On Mon, 4 Feb 2013, ignasr at vault13.lt wrote:
> >
> >> I know H3C is not officially supported in rancid, but maybe someone took
> >> the time and already wrote password filtering routines for h3crancid?
> >>
> >> If not, can I get some pointers on where in h3crancid that filtering
> >> should happen? I would use other scripts as examples and write
> >> something.
> >
> > I have a bunch of updates to make to h3crancid at some point. If you can
> > give me samples of the lines where you want the passwords removing and the
> > context, I can take a look at incorporating them.
> >
> > Jethro.
More information about the Rancid-discuss
mailing list