Kevin Bonner
2013-03-07 20:10:48 UTC
*newly subscribed... sorry for the missing message IDs*
I've recently setup rancid to monitor several HP A5120 switches and ran into
this same issue.
My diff for h3crancid is:
--- /home/keb/tmp/h3crancid 2013-03-07 14:57:09.574706088 -0500
+++ ./h3crancid 2013-02-28 11:40:31.725587845 -0500
@@ -361,9 +361,16 @@
# s/\s*---- More ----\s*//;
# Filter out some sensitive data:
- if (/^( ?snmp-agent community (read|write) )(\S+)/ &&
- $filter_commstr == 0) {
- ProcessHistory("","","","!$1<removed>$'");
+ if (/^( ?snmp-agent community (read|write) )(\S+)/ && $filter_commstr) {
+ ProcessHistory("","","","#$1<removed>$'");
+ next;
+ }
+ if (/^( ?password (?:simple|cipher) )(.*)$/ && $filter_pwds >= 1) {
+ ProcessHistory("","","","#$1<removed>$'");
+ next;
+ }
+ if (/^( ?key (?:authentication|accounting) )(.*)$/ && $filter_pwds >= 1) {
+ ProcessHistory("","","","#$1<removed>$'");
next;
}
This diff hides the SNMP community string if requested, hides the user
passwords (both types!), and also hides RADIUS keys. On the HP A5120 switch,
the pound symbol represents a comment line. Not sure if the other models
covered by this script have that same behavior.
Jethro, if you need someone to test future changes, feel free to contact me.
Cheers,
-Kevin
give me samples of the lines where you want the passwords removing and the
context, I can take a look at incorporating them.
Jethro.
I've recently setup rancid to monitor several HP A5120 switches and ran into
this same issue.
My diff for h3crancid is:
--- /home/keb/tmp/h3crancid 2013-03-07 14:57:09.574706088 -0500
+++ ./h3crancid 2013-02-28 11:40:31.725587845 -0500
@@ -361,9 +361,16 @@
# s/\s*---- More ----\s*//;
# Filter out some sensitive data:
- if (/^( ?snmp-agent community (read|write) )(\S+)/ &&
- $filter_commstr == 0) {
- ProcessHistory("","","","!$1<removed>$'");
+ if (/^( ?snmp-agent community (read|write) )(\S+)/ && $filter_commstr) {
+ ProcessHistory("","","","#$1<removed>$'");
+ next;
+ }
+ if (/^( ?password (?:simple|cipher) )(.*)$/ && $filter_pwds >= 1) {
+ ProcessHistory("","","","#$1<removed>$'");
+ next;
+ }
+ if (/^( ?key (?:authentication|accounting) )(.*)$/ && $filter_pwds >= 1) {
+ ProcessHistory("","","","#$1<removed>$'");
next;
}
This diff hides the SNMP community string if requested, hides the user
passwords (both types!), and also hides RADIUS keys. On the HP A5120 switch,
the pound symbol represents a comment line. Not sure if the other models
covered by this script have that same behavior.
Jethro, if you need someone to test future changes, feel free to contact me.
Cheers,
-Kevin
I know H3C is not officially supported in rancid, but maybe someone took
the time and already wrote password filtering routines for h3crancid?
If not, can I get some pointers on where in h3crancid that filtering
should happen? I would use other scripts as examples and write
something.
I have a bunch of updates to make to h3crancid at some point. If you canthe time and already wrote password filtering routines for h3crancid?
If not, can I get some pointers on where in h3crancid that filtering
should happen? I would use other scripts as examples and write
something.
give me samples of the lines where you want the passwords removing and the
context, I can take a look at incorporating them.
Jethro.