[rancid] Revision controlled full backup without notification?

Discussion:

Chris Bennett

2016-02-27 02:58:50 UTC

Hi there,

Is there a way of using RANCID to perform standard config backups with
password removal etc & change notification, coupled with a full
untouched backup of the config in revision control without change
notification? I'm wanting to ensure I have both useful change
notification emails, whilst having a full copy of the config for
restore/DR purposes.

Thanks,

Chris

Lee

2016-02-27 05:51:39 UTC

Permalink

Post by Chris Bennett
Hi there,
Is there a way of using RANCID to perform standard config backups with
password removal etc & change notification, coupled with a full
untouched backup of the config in revision control without change
notification? I'm wanting to ensure I have both useful change
notification emails, whilst having a full copy of the config for
restore/DR purposes.

It's pretty easy - control_rancid puts the diff output into $TMP.diff
So have rancid do unmodified config backups & add something like the following

# -LR- begin: remove passwords etc. from diff listing
sanitize.sh $TMP.diff >$TMP.diff2
/bin/mv $TMP.diff2 $TMP.diff

in control_rancid to remove the sensitive bits from the file before
mailing it out.

Regards,
Lee

$ cat sanitize.sh
#!/bin/sh
# script to sanitize a ciscso config

awk '
/^Index: configs/ { if ( NR != 1) printf("\n\n\n") }
{
# IOS stuph
strip("key 7 ", "xXxXxX")
strip("md5 7 ", "xXxXxX")
strip("password 3 ", "xXxXxX")
strip("password 5 ", "xXxXxX")
strip("password 7 ", "xXxXxX")
strip("secret 5 ", "xXxXxX")
strip("snmp-server community ", "xXxXxX")
strip("crypto isakmp key ", "xXxXxX")
strip("tacacs-server key 7 ", "xXxXxX")

# CatOS stuph
strip("set password " , "xXxXxX")
strip("set enablepass ", "xXxXxX")
strip("set snmp community read-only " , "xXxXxX")
strip("set snmp community read-write " , "xXxXxX")
strip("set snmp community read-write-all ", "xXxXxX")
strip("set tacacs key ", "xXxXxX")

print $0
}

func strip(s, r) {
sub(s " *[^ ]*", s r, $0)
}
' $1

$

Chris Bennett

2016-02-27 06:56:36 UTC

Permalink

Hey thanks for the reply. What you propose will work great for one
use case I have.

I was actually thinking of another use case, but now that I've looked
closer at what RANCID does, it doesn't look possible without some
coding. I'm dealing with a couple of devices that that have cycling
RSA keys. The XXrancid script specifically excludes these snippets
unconditionally. If the config fetching was separate from the
processing of output, I could do what I want easily :)

Thanks,

Chris

heasley

2016-02-27 15:29:22 UTC

Permalink

Post by Chris Bennett
I was actually thinking of another use case, but now that I've looked
closer at what RANCID does, it doesn't look possible without some
coding. I'm dealing with a couple of devices that that have cycling
RSA keys. The XXrancid script specifically excludes these snippets
unconditionally. If the config fetching was separate from the
processing of output, I could do what I want easily :)

I'd be willing to change the code to optionally retain things like this, but
still filter other oscillating things like timestamps. It potentially makes
the history rather cluttered. But, perhaps someone has a better idea to
address this?

heasley

2016-02-27 15:26:02 UTC

Permalink

Post by Lee
It's pretty easy - control_rancid puts the diff output into $TMP.diff
So have rancid do unmodified config backups & add something like the following
# -LR- begin: remove passwords etc. from diff listing
sanitize.sh $TMP.diff >$TMP.diff2
/bin/mv $TMP.diff2 $TMP.diff

I encourage you to use rancid.conf:DIFFSCRIPT added in rancid 3.2 to include
your custom filter. Otherwise, the right solution. Prost.