NetWorker 7.6 and nsr_render_log

 NetWorker, Security  2 Responses »
Dec 272009
 

You may recall that in an earlier article, “(In)securing your logs using nsr_render_log -z“, I pointed out that the “-z” option, advertised as capable of obfuscating host and user details to make the log truly anonymous did, at best, an extremely poor job of doing so and should be considered untrustworthy.

As a result of the discussions I had with EMC support over this, NetWorker 7.6 has seen the “-z” option removed from the man page as an option. Disappointingly, it remains available as a command line option, meaning you can still run:

# nsr_render_log -z /nsr/logs/daemon.raw

Why is this disappointing? Because it’s still entirely insecure. For example, after running it against my daemon.raw file on a lab server, I’ve got lines like:

...host1 nsrjobd SYSTEM error: remote exec problem for command `nsrcheckbackup.sh -s nox 
-g archon -c archon / /Volumes/TARDIS/Yojimbo /Volumes/Yu': No route to host
...host1 savegrp archon: error occured during probing; could not execute probe job
...host1 nsrd savegroup failure alert: archon: error occured during probing; could not execute probe job
...host1 nsrd runq: NSR group archon exited with return code 21.
...host1 nsrd savegroup info: aralathan is probing

Furthermore, NetWorker startups will still reveal hostnames in the licensed host list, etc.

As such, despite the fact that the -z option is still available within nsr_render_log, my original recommendation remains: don’t use it, don’t rely on it, and if you need to secure (obfuscate) your daemon log, do it manually.

 Posted by Preston de Guise at 05:39  Tagged with: ,

(In)securing your daemon.raw with nsr_render_log -z

 NetWorker, Security  2 Responses »
Jun 042009
 

As you may know, the jump from NetWorker 7.3 to 7.4 saw the introduction of a language/locale-neutral log format in NetWorker, referred to as “raw” format. The primary purpose of this format is to allow logs to be generated by NetWorker that can then be rendered into a support-addressable language for EMC.

One of the options for nsr_render_log is “-z”, which according to the man page:

-z   Obfuscate secure information. Hostnames, usernames and network
     addresses shall be aliased.

In theory, this replaces hostnames with neutral hostnames – e.g., the backup server gets renamed to ‘host1′.

If you’re relying on nsr_render_log to totally mask your site details, don’t. You still need to manually review the file and determine whether there are any references to hostnames, usernames, etc., that need to be modified.

Here’s a few examples of where details aren’t aliased:

  • Index paths in initial startup of the NetWorker server.
  • License count details in initial startup of the NetWorker server.
  • Entries of the form client:Saveset Name when referencing savesets starting, stopping, etc. This includes the server hostname, which “-z” mainly seems to be trying to masquerade (e.g., you’ll get lines like: ‘host1 nsrd cerberus:index:mars’).
  • The infamous “NSR peer information” entries.
  • Usernames from browsing for browsing recoveries and completing recoveries.

While I don’t normally like to poke sticks at NetWorker, this isn’t a good implementation of security. Security by obfuscation never is, but if you say you’re going to hide hostnames and usernames, you should at least make every effort to do just that. In fact, using the Australian vernacular, this is a very half arsed implementation of an advertised feature.

In short, if you’re needing to completely “secure” your daemon.raw output before sending to your support provider, don’t rely on -z, but instead do a manual search and replace.

As a starting point, you may want to consider a procedure such as:

  1. Using nsradmin, extract a list of all client names.
  2. Search and replace each client name with an arbitrary name in the daemon.raw file.
  3. Search for “done browsing” and extract the unique usernames.
  4. Map those unique usernames to arbitrary usernames, and search and replace in the daemon.raw file.

That will not likely replace everything, but will give you a good starting point.

 Posted by Preston de Guise at 05:47  Tagged with:
© 2012 The NetWorker Blog Suffusion theme by Sayontan Sinha