[rancid] Revision controlled full backup without notification?
Lee
ler762 at gmail.com
Sat Feb 27 05:51:39 UTC 2016
On 2/26/16, Chris Bennett <chris at ceegeebee.com> wrote:
> Hi there,
>
> Is there a way of using RANCID to perform standard config backups with
> password removal etc & change notification, coupled with a full
> untouched backup of the config in revision control without change
> notification? I'm wanting to ensure I have both useful change
> notification emails, whilst having a full copy of the config for
> restore/DR purposes.
It's pretty easy - control_rancid puts the diff output into $TMP.diff
So have rancid do unmodified config backups & add something like the following
# -LR- begin: remove passwords etc. from diff listing
sanitize.sh $TMP.diff >$TMP.diff2
/bin/mv $TMP.diff2 $TMP.diff
in control_rancid to remove the sensitive bits from the file before
mailing it out.
Regards,
Lee
$ cat sanitize.sh
#!/bin/sh
# script to sanitize a ciscso config
awk '
/^Index: configs/ { if ( NR != 1) printf("\n\n\n") }
{
# IOS stuph
strip("key 7 ", "xXxXxX")
strip("md5 7 ", "xXxXxX")
strip("password 3 ", "xXxXxX")
strip("password 5 ", "xXxXxX")
strip("password 7 ", "xXxXxX")
strip("secret 5 ", "xXxXxX")
strip("snmp-server community ", "xXxXxX")
strip("crypto isakmp key ", "xXxXxX")
strip("tacacs-server key 7 ", "xXxXxX")
# CatOS stuph
strip("set password " , "xXxXxX")
strip("set enablepass ", "xXxXxX")
strip("set snmp community read-only " , "xXxXxX")
strip("set snmp community read-write " , "xXxXxX")
strip("set snmp community read-write-all ", "xXxXxX")
strip("set tacacs key ", "xXxXxX")
print $0
}
func strip(s, r) {
sub(s " *[^ ]*", s r, $0)
}
' $1
$
More information about the Rancid-discuss
mailing list