Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

Network Change & Configuration Management

Reply

Hiding Script-Variables values from Process Log and Session Log

[ Edited ]
adomeit
Techie
Posts: 7
5115     0

Hi,

We are not allowed to run FTP servers (even internal ones) with anonymous login access and all of our passwords are controlled by corporate policy for expiriy, complexity etc.  We also don't store credentials insecurly in scripts.  I have a NetMRI CCS script that connects to devices, does some file operations and checks and if everything is cool, will copy firmware or whatever to the device.  Since the device initiates the connection to download the file, we need to feed the script credentials which is easy enough using Script-Variables.  It all works just fine but the ID and password are recorded in the job details under the Process Log tab and the session log.  

 

I looked in the CCS scripting guide and an few other places but I didn't find any knob or lever that would allow you to signal to NetMRI to not log a variable's values or to put little stars in their place.  

 

Is there a knob or a flag you can use on a variable to tell the CCS processor to not log a particualar variable value??  The alternative of doing key based auth via SCP is pretty painful.

-paul

Re: Hiding Script-Variables values from Process Log and Session Log

Adviser
Posts: 53
5115     0

Hi,

 

I'm not sure if you are aware of this, but NetMRI has a TFTP server running on it for such use cases. The TFTP server is typically blocked by an ACL list, however, for a given script run against a given device, it is opened for the device for the duration of the script run.

 

Simply scp the files into the admin shell “tftp” directory and then run the “tftpsync” command from inside the admin shell. The “tftpsync” command copies the files from the “tftp” directory into the TFTP server’s staging area. After that, jobs should be able to access the files via tftp://NetMRI_IP_Address/Name_of_File .

 

Thanks,

- Chris

 

Re: Hiding Script-Variables values from Process Log and Session Log

Expert
Posts: 231
5115     0

I never knew that!  It might come in handy.

Re: Hiding Script-Variables values from Process Log and Session Log

Expert
Posts: 231
5115     0

Could you place the files on an HTTP(S) server instead.  Restrict access based on source address via the server OS firewall and/or webserver rules (Linux iptables + Apache)?

Re: Hiding Script-Variables values from Process Log and Session Log

Adviser
Posts: 53
5115     0

Actually, yes. The files in the TFTP server's staging area should also be available via http and https, depending on how your system is configured. Just replace tftp:// with http:// or https://, the rest should be the same.

 

Thanks,

- Chris

 

 

Re: Hiding Script-Variables values from Process Log and Session Log

Expert
Posts: 231
5115     0

Chris, I don't follow you on the last part.  If one attempts an HTTP(S) access to the NetMRI without some special URL to point to the staging area, it would result in a UI login redirect.  And NetMRI wouldn't allow an unauthenticated access for HTTP(S), right? Hopefully.

Re: Hiding Script-Variables values from Process Log and Session Log

Adviser
Posts: 53
5115     0

Hi Marty,

 

No, that is not the case. NetMRI dynamically manipulates its own ACL list such that, for the duration of the job, the target device is allowed access to *only* the tftp/http/https staging areas. Once the job has completed against the target device, the ACL change is reverted.

 

Thanks,

- Chris

 

 

Re: Hiding Script-Variables values from Process Log and Session Log

Expert
Posts: 231
5115     0

Never would have guessed that.  So where exactly is this documented?  Smiley Happy

The admin guide discusses TFTP as part of ACM bare metal deployments.  As part of that, it says "A NIOS appliance can also operate as a TFTP server."

Re: Hiding Script-Variables values from Process Log and Session Log

Adviser
Posts: 53
5115     0

Hi Marty,

 

Yeah, bits and pieces are documented here and there, but, I agree, it isn't all in one place and obvious. This support was added for Cisco rollbacks, and bulk config template pushes (Juniper needed http support as it did not support tftp).

 

Thanks,

- Chris

 

 

Highlighted

Re: Hiding Script-Variables values from Process Log and Session Log

Authority
Posts: 32
5115     0

 

To answer the original question...   Yes, there is a way to make NetMRI obscure the value that is entered at runtime for a script variable.

 

If you specify "password" as the data type, like this:

 

Script-Variables:
     $SomeString     password

 

...the value you enter for that variable will be obscured on-screen (to foil the bad guys looking over your shoulder), and in the Status and Process logs as well:

 

+++ [Script-Variables]
+++   $somestring = '******'

 

...but if the string also appears in the session log (e.g. if the target device echoes the characters), then I don't think there is anything you can do on NetMRI to prevent that.

 

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You