[rancid] h3crancid doesn't filter passwords

Jethro R Binks jethro.binks at strath.ac.uk
Fri Mar 8 14:04:34 UTC 2013


Noted, I've been extremely lacking in time to do work in h3crancid (or 
many other things) this year so far :(

J.


On Thu, 7 Mar 2013, Kevin Bonner wrote:

> *newly subscribed... sorry for the missing message IDs*
> 
> I've recently setup rancid to monitor several HP A5120 switches and ran into 
> this same issue.
> 
> My diff for h3crancid is:
> --- /home/keb/tmp/h3crancid     2013-03-07 14:57:09.574706088 -0500
> +++ ./h3crancid 2013-02-28 11:40:31.725587845 -0500
> @@ -361,9 +361,16 @@
>  #        s/\s*---- More ----\s*//;
>  
>      # Filter out some sensitive data:
> -    if (/^( ?snmp-agent community (read|write) )(\S+)/ &&
> -       $filter_commstr == 0) {
> -        ProcessHistory("","","","!$1<removed>$'");
> +    if (/^( ?snmp-agent community (read|write) )(\S+)/ && $filter_commstr) {
> +        ProcessHistory("","","","#$1<removed>$'");
> +        next;
> +    }
> +    if (/^( ?password (?:simple|cipher) )(.*)$/ && $filter_pwds >= 1) {
> +        ProcessHistory("","","","#$1<removed>$'");
> +        next;
> +    }
> +    if (/^( ?key (?:authentication|accounting) )(.*)$/ && $filter_pwds >= 1) {
> +        ProcessHistory("","","","#$1<removed>$'");
>          next;
>      }
> 
> This diff hides the SNMP community string if requested, hides the user 
> passwords (both types!), and also hides RADIUS keys.  On the HP A5120 switch, 
> the pound symbol represents a comment line.  Not sure if the other models 
> covered by this script have that same behavior.
> 
> Jethro, if you need someone to test future changes, feel free to contact me.
> 
> Cheers,
> -Kevin
> 
> On 2013.02.04 23:23, Jethro R Binks wrote:
> > > On Mon, 4 Feb 2013, ignasr at vault13.lt wrote:
> > >
> > >> I know H3C is not officially supported in rancid, but maybe someone took
> > >> the time and already wrote password filtering routines for h3crancid?
> > >>
> > >> If not, can I get some pointers on where in h3crancid that filtering
> > >> should happen? I would use other scripts as examples and write
> > >> something.
> > >
> > > I have a bunch of updates to make to h3crancid at some point.  If you can
> > > give me samples of the lines where you want the passwords removing and the
> > > context, I can take a look at incorporating them.
> > >
> > > Jethro.
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> 

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.


More information about the Rancid-discuss mailing list