{"id":507,"date":"2009-06-04T05:47:11","date_gmt":"2009-06-03T19:47:11","guid":{"rendered":"http:\/\/nsrd.wordpress.com\/?p=507"},"modified":"2009-06-04T05:47:11","modified_gmt":"2009-06-03T19:47:11","slug":"insecuring-your-daemon-raw-with-nsr_render_log-z","status":"publish","type":"post","link":"https:\/\/nsrd.info\/blog\/2009\/06\/04\/insecuring-your-daemon-raw-with-nsr_render_log-z\/","title":{"rendered":"(In)securing your daemon.raw with nsr_render_log -z"},"content":{"rendered":"<p>As you may know, the jump from NetWorker 7.3 to 7.4 saw the introduction of a language\/locale-neutral log format in NetWorker, referred to as &#8220;raw&#8221; format. The primary purpose of this format is to allow logs to be generated by NetWorker that can then be rendered into a support-addressable language for EMC.<\/p>\n<p>One of the options for nsr_render_log is &#8220;-z&#8221;, which according to the man page:<\/p>\n<pre>-z\u00a0\u00a0 Obfuscate secure information. Hostnames, usernames and network\n     addresses shall be aliased.<\/pre>\n<p>In theory, this replaces hostnames with neutral hostnames &#8211; e.g., the backup server gets renamed to &#8216;host1&#8217;.<\/p>\n<p>If you&#8217;re relying on nsr_render_log to <em>totally<\/em> mask your site details, <strong><em>don&#8217;t<\/em><\/strong>. You still need to manually review the file and determine whether there are any references to hostnames, usernames, etc., that need to be modified.<\/p>\n<p>Here&#8217;s a few examples of where details aren&#8217;t aliased:<\/p>\n<ul>\n<li>Index paths in initial startup of the NetWorker server.<\/li>\n<li>License count details in initial startup of the NetWorker server.<\/li>\n<li>Entries of the form <em>client:Saveset Name<\/em> when referencing savesets starting, stopping, etc. This includes the server hostname, which &#8220;-z&#8221; mainly seems to be trying to masquerade (e.g., you&#8217;ll get lines like: &#8216;host1 nsrd cerberus:index:mars&#8217;).<\/li>\n<li>The infamous <a title=\"Fixing NSR peer information errors\" href=\"https:\/\/nsrd.info\/blog\/2009\/02\/23\/basics-fixing-nsr-peer-information-errors\/\" target=\"_blank\">&#8220;NSR peer information&#8221;<\/a> entries.<\/li>\n<li>Usernames from browsing for browsing recoveries and completing recoveries.<\/li>\n<\/ul>\n<p>While I don&#8217;t normally like to poke sticks at NetWorker, this isn&#8217;t a good implementation of security. Security by obfuscation never is, but if you say you&#8217;re going to hide hostnames and usernames, you should at least make every effort to do just that. In fact, using the Australian vernacular, this is a very <em>half arsed<\/em> implementation of an advertised feature.<\/p>\n<p>In short, if you&#8217;re needing to completely &#8220;secure&#8221; your daemon.raw output before sending to your support provider, <em>don&#8217;t<\/em> rely on -z, but instead do a manual search and replace.<\/p>\n<p>As a starting point, you may want to consider a procedure such as:<\/p>\n<ol>\n<li>Using nsradmin, extract a list of all client names.<\/li>\n<li>Search and replace each client name with an arbitrary name in the daemon.raw file.<\/li>\n<li>Search for &#8220;done browsing&#8221; and extract the unique usernames.<\/li>\n<li>Map those unique usernames to arbitrary usernames, and search and replace in the daemon.raw file.<\/li>\n<\/ol>\n<p>That will not likely replace <em>everything<\/em>, but will give you a good starting point.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As you may know, the jump from NetWorker 7.3 to 7.4 saw the introduction of a language\/locale-neutral log format in&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[16,21],"tags":[682],"class_list":["post-507","post","type-post","status-publish","format-standard","hentry","category-networker","category-security","tag-nsr_render_log"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pKpIN-8b","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/comments?post=507"}],"version-history":[{"count":0,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/507\/revisions"}],"wp:attachment":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/media?parent=507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/categories?post=507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/tags?post=507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}