You may recall that in an earlier article, “(In)securing your logs using nsr_render_log -z“, I pointed out that the “-z” option, advertised as capable of obfuscating host and user details to make the log truly anonymous did, at best, an extremely poor job of doing so and should be considered untrustworthy.
As a result of the discussions I had with EMC support over this, NetWorker 7.6 has seen the “-z” option removed from the man page as an option. Disappointingly, it remains available as a command line option, meaning you can still run:
# nsr_render_log -z /nsr/logs/daemon.raw
Why is this disappointing? Because it’s still entirely insecure. For example, after running it against my daemon.raw file on a lab server, I’ve got lines like:
...host1 nsrjobd SYSTEM error: remote exec problem for command `nsrcheckbackup.sh -s nox -g archon -c archon / /Volumes/TARDIS/Yojimbo /Volumes/Yu': No route to host ...host1 savegrp archon: error occured during probing; could not execute probe job ...host1 nsrd savegroup failure alert: archon: error occured during probing; could not execute probe job ...host1 nsrd runq: NSR group archon exited with return code 21. ...host1 nsrd savegroup info: aralathan is probing
Furthermore, NetWorker startups will still reveal hostnames in the licensed host list, etc.
As such, despite the fact that the -z option is still available within nsr_render_log, my original recommendation remains: don’t use it, don’t rely on it, and if you need to secure (obfuscate) your daemon log, do it manually.
Yes, or you could write your own script that obfuscates for you… here is a sampling:
http://www.briandgoad.com/blog/2010/03/24/sanitize-obfuscate-networker-logs-like-daemon-raw/
Hi Brian,
Thanks for posting! I had looked at doing something in Perl but found myself constantly distracted. (I also wanted to write it as a standalone option which would have lost me all the functions I’ve accumulated in IDATA Tools – something which added to my distraction around it…)
Cheers,
Preston.