(In)securing your daemon.raw with nsr_render_log -z

As you may know, the jump from NetWorker 7.3 to 7.4 saw the introduction of a language/locale-neutral log format in NetWorker, referred to as “raw” format. The primary purpose of this format is to allow logs to be generated by NetWorker that can then be rendered into a support-addressable language for EMC.

One of the options for nsr_render_log is “-z”, which according to the man page:

-z   Obfuscate secure information. Hostnames, usernames and network
     addresses shall be aliased.

In theory, this replaces hostnames with neutral hostnames – e.g., the backup server gets renamed to ‘host1’.

If you’re relying on nsr_render_log to totally mask your site details, don’t. You still need to manually review the file and determine whether there are any references to hostnames, usernames, etc., that need to be modified.

Here’s a few examples of where details aren’t aliased:

  • Index paths in initial startup of the NetWorker server.
  • License count details in initial startup of the NetWorker server.
  • Entries of the form client:Saveset Name when referencing savesets starting, stopping, etc. This includes the server hostname, which “-z” mainly seems to be trying to masquerade (e.g., you’ll get lines like: ‘host1 nsrd cerberus:index:mars’).
  • The infamous “NSR peer information” entries.
  • Usernames from browsing for browsing recoveries and completing recoveries.

While I don’t normally like to poke sticks at NetWorker, this isn’t a good implementation of security. Security by obfuscation never is, but if you say you’re going to hide hostnames and usernames, you should at least make every effort to do just that. In fact, using the Australian vernacular, this is a very half arsed implementation of an advertised feature.

In short, if you’re needing to completely “secure” your daemon.raw output before sending to your support provider, don’t rely on -z, but instead do a manual search and replace.

As a starting point, you may want to consider a procedure such as:

  1. Using nsradmin, extract a list of all client names.
  2. Search and replace each client name with an arbitrary name in the daemon.raw file.
  3. Search for “done browsing” and extract the unique usernames.
  4. Map those unique usernames to arbitrary usernames, and search and replace in the daemon.raw file.

That will not likely replace everything, but will give you a good starting point.

2 thoughts on “(In)securing your daemon.raw with nsr_render_log -z”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.