- workaround for Cisco's Role-Based CLI
- fix radius-server key partial exposure if FILTER_PWDS is used and key uses non-"word" characters
- more password-filtering with cisco
- filter out ddns add URLs (I don't use ddns remove URLs) - dirty quickfix, I didn't want to waste my time figuring out how to filter out logins and passwords from URLs, so fixed it by removing entire URL strings
--- bin/rancid.in.orig Wed Feb 16 02:16:59 2011
+++ bin/rancid.in Tue May 3 18:44:49 2011
@@ -1672,6 +1672,9 @@ sub WriteTerm {
if (/^(ppp .* password) 7 .*/ && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 \n"); next;
}
+ if (/^\s+(ppp chap (hostname|(password \d))) / && $filter_pwds >= 1) {
+ ProcessHistory("","","","!$1 \n"); next;
+ }
if (/^(ip ftp password) / && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 \n"); next;
}
@@ -1725,6 +1728,12 @@ sub WriteTerm {
if (/(\s+ldap-login-password )\S+(.*)/ && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 $'"); next;
}
+ if (/^\s+(wpa-psk ascii|hex \d) / && $filter_pwds >= 1) {
+ ProcessHistory("","","","!$1 \n"); next;
+ }
+ if (/^\s+add / && $filter_pwds >= 1) {
+ ProcessHistory("","","","!$1 \n"); next;
+ }
#
if (/^( cable shared-secret )/ && $filter_pwds >= 1) {
ProcessHistory("","","","!$1 \n");
@@ -1828,7 +1837,7 @@ sub WriteTerm {
}
}
# prune tacacs/radius server keys
- if (/^((tacacs|radius)-server\s(\w*[-\s(\s\S+])*\s?key) (\d )?\w+/
+ if (/^((tacacs|radius)-server\s(\w*[-\s(\s\S+])*\s?key) (\d )?\S+/
&& $filter_pwds >= 1) {
ProcessHistory("","","","!$1 $'"); next;
}
@@ -1949,6 +1958,7 @@ sub DoNothing {print STDOUT;}
{'show vlan-switch' => 'ShowVLAN'},
{'show debug' => 'ShowDebug'},
{'more system:running-config' => 'WriteTerm'}, # ASA/PIX
+ {'show running-config view full' => 'WriteTerm'}, # workaround for role-based CLI
{'show running-config' => 'WriteTerm'},
{'write term' => 'WriteTerm'},
);
No comments:
Post a Comment