Rodo Bibi | 1 Mar 14:59 2010
Picon

[rancid] fortigate issues

Hey rancid community


I am working with fortigate 1000A and I have 2 issues I am sure you can help me with.

At each rancid backup I receive an email with configuration changes.

First problem :

retrieving revision 1.1969
diff -U 4 -r1.1969 fortifw
<at> <at> -51,9 +51,9 <at> <at>
      set daily-restart disable
      set detection-summary enable
      set dst enable
      set failtime 5
-      set fds-statistics enable
+    set fds-statistics enable
      set forticlient-portal-port 8009
      set fsae-burst-size 300
      set fsae-rate-limit 100

See, the set fds-statistics enable is removed then added. How can I get rid of this ?


Second problem : 

The display of the private key changes at each backup :

+         set private-key "-----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
- DEK-Info: DES-EDE3-CBC,3C07324ADB7623412
- M1/T1PrO+n8oX1E2Fks46mI6zF3R99g3ulhR9jfXi1zdjYrfEfmz8eIbV0lrECoo
- P6DKRBUUJw9p4OPitm1XpIG5SXQSLWjV9GOWeFhsiAWDZrnONzWSkuiunXxu3W3D
- BIw4fCC+HXRs1wUHhTf0XWzpbO0pmWfHWcCv8D3jKLXdchGI/5jKyfsVAgv5TT6Q
- A40sI463M4xBl2RzNBNvxSF1yrpDdA454W0B4y8uSHLQg0Q94fGiprLpUO9S2NFI
- QUKJGqAhNrwGbFCmm7NQxeEbdbJnzJ77rxYjm3+VQaEsPkuKU32DgQTP1uJIxTeB
- WM8F30XrOqj6/esxqqL8TZl4uYySJZtR2SVjlhdVlg7zCQSZV3ZbgK7zR5lT3+aK
- rUGg3DEiA8ajHxv44QsUutwhSrubreCkaHkRI1VxZpeOroa2x6t8bN/XcvPCWQEo
- Y1yXEn7iR3LZxbE5retft+UBhcBs0Xm55vBMGeyNhzkalQveSJ1Bn7A5lLrII8Hy
- YlozkgkbzsRsWNFQKFUWGNQR56432IHGWOVDSBQGE5py0Wk1qq+bOQq5T
- ySWSKQDdDv3rS2OU3aulmcXvzs+pmLqYHQG6m8vQm0/7EhKEKa2UK2M5Nx4SOLdI
- 94iOYWFrJ5SJcIgA3TKaQVpHTEjsSncPVlUu4sBxm3kTQOK5bE52aw==
+ DEK-Info: DES-EDE3-CBC,B69D648DD9C5C8D 
+ bAAaqPBUPN3p3MkBtkfZ9rCk18Fda5hppgZbInsTBioCajUeewzXOFqLsPBmP4qD
+ oKakQ9QAt9d4W7SYmRvSWM7kWluOlQDXYOX3NImoYYmF/iCP6sS+mopih5PAy4na
+ 9Jxe5m5Cb6USdafrSjHqaOQjlXOIGo7vCvs3LyXOhBA2mw1QTJyYPK5ZDiqx+edt
+ Qqs4EIF8PgzSug2yQmkXu1YeuLaUtpnVu6g7koY3ugeznEJe7qUR15EvYW/VI3eg
+ xKTmqk95+oNEySR+WcKajv59u01j6FoaD0ALN5rJEVv1AlG0NJryjIlevW1AGVUw
+ tXG2HJz0zmFX99hIV7RMntZIez2cw+VaojLluHlTdngI9y7LemoLQPrxwKjwCV0+
+ U3waJhpKV2bFjfqhbcuahifjAFIFA8ghhfbuzfq/y7O8yD25fSE22fU
+ F0+8ehuNv2M13gATPhUrNtQDo0wSzPaO//Bpei+QT1ulVSMQGveVkVdRH1wHWvPg
+ AzDVi/HmsVvZa0SBKwuZP4WnVdfuiIyX0frWpGirltPny9BkuM3GSBsa2Oz/f2XS
+ OEVW1xUT+WFUc55x7rVDvy8WPFSUYL7hFQDJmr2VZC2QJi1W2jVcsAcaAswDo3RE
+ +3vjawQ1S/p5Sh2UX1XCel+HP5X9mR/3HlPV1EsZ9rwz9mnl2GhQYQ==
  -----END RSA PRIVATE KEY-----"
 
I would love to remove everything " " and display set private-key " *** removed *** ".

Thanks
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Diego Ercolani | 1 Mar 16:22 2010
Picon

[rancid] Re: fortigate issues

I had today your issue, I've solved with a reboot process of the fortigate 
appliance....
rancid (with my patches) simple asks fortinet a dump of the configuration 
without making bautifying or indent of the configuration dump.
for the certificate/private key and others, you have to modify the source 
removing things multiline....
The main loop where these things are done start at line 176 of fnrancid, but 
as you see it's very simple and remove only the one-line things matching a tag 
on the line. You have to create a more sophisticated implementation subroutine 
that process multiline input at a time e manage exceptions.

In the same loop I think it's possible to manage issue like more spaces added, 
but what I saw in my today situation is that sometimes fortigate give the 
configurations breaking commands with a line feed without any kind of rule 
eg.... I saw something like:

retrieving revision 1.1969
diff -U 4 -r1.1969 fortifw
 <at>  <at>  -51,9 +51,9  <at>  <at> 
      set daily-restart disable
      set detection-summary enable
      set dst enable
      set failtime 5
-      set fds-statistics enable
+    set fds-stat
+      istics enable
      set forticlient-portal-port 8009
      set fsae-burst-size 300
      set fsae-rate-limit 100

...this isn't foreseenable, don't you think?

In data lunedì 1 marzo 2010 14:59:56, Rodo Bibi ha scritto:
: > Hey rancid community
> 
> I am working with fortigate 1000A and I have 2 issues I am sure you can
> help me with.
> 
> At each rancid backup I receive an email with configuration changes.
> 
> First problem :
> 
> retrieving revision 1.1969
> diff -U 4 -r1.1969 fortifw
>  <at>  <at>  -51,9 +51,9  <at>  <at> 
>       set daily-restart disable
>       set detection-summary enable
>       set dst enable
>       set failtime 5
> -      set fds-statistics enable
> +    set fds-statistics enable
>       set forticlient-portal-port 8009
>       set fsae-burst-size 300
>       set fsae-rate-limit 100
> 
> See, the set fds-statistics enable is removed then added. How can I get rid
> of this ?
> 
> 
> Second problem :
> 
> The display of the private key changes at each backup :
> 
> +         set private-key "-----BEGIN RSA PRIVATE KEY-----
>   Proc-Type: 4,ENCRYPTED
> - DEK-Info: DES-EDE3-CBC,3C07324ADB7623412
> - M1/T1PrO+n8oX1E2Fks46mI6zF3R99g3ulhR9jfXi1zdjYrfEfmz8eIbV0lrECoo
> - P6DKRBUUJw9p4OPitm1XpIG5SXQSLWjV9GOWeFhsiAWDZrnONzWSkuiunXxu3W3D
> - BIw4fCC+HXRs1wUHhTf0XWzpbO0pmWfHWcCv8D3jKLXdchGI/5jKyfsVAgv5TT6Q
> - A40sI463M4xBl2RzNBNvxSF1yrpDdA454W0B4y8uSHLQg0Q94fGiprLpUO9S2NFI
> - QUKJGqAhNrwGbFCmm7NQxeEbdbJnzJ77rxYjm3+VQaEsPkuKU32DgQTP1uJIxTeB
> - WM8F30XrOqj6/esxqqL8TZl4uYySJZtR2SVjlhdVlg7zCQSZV3ZbgK7zR5lT3+aK
> - rUGg3DEiA8ajHxv44QsUutwhSrubreCkaHkRI1VxZpeOroa2x6t8bN/XcvPCWQEo
> - Y1yXEn7iR3LZxbE5retft+UBhcBs0Xm55vBMGeyNhzkalQveSJ1Bn7A5lLrII8Hy
> - YlozkgkbzsRsWNFQKFUWGNQR56432IHGWOVDSBQGE5py0Wk1qq+bOQq5T
> - ySWSKQDdDv3rS2OU3aulmcXvzs+pmLqYHQG6m8vQm0/7EhKEKa2UK2M5Nx4SOLdI
> - 94iOYWFrJ5SJcIgA3TKaQVpHTEjsSncPVlUu4sBxm3kTQOK5bE52aw==
> + DEK-Info: DES-EDE3-CBC,B69D648DD9C5C8D
> + bAAaqPBUPN3p3MkBtkfZ9rCk18Fda5hppgZbInsTBioCajUeewzXOFqLsPBmP4qD
> + oKakQ9QAt9d4W7SYmRvSWM7kWluOlQDXYOX3NImoYYmF/iCP6sS+mopih5PAy4na
> + 9Jxe5m5Cb6USdafrSjHqaOQjlXOIGo7vCvs3LyXOhBA2mw1QTJyYPK5ZDiqx+edt
> + Qqs4EIF8PgzSug2yQmkXu1YeuLaUtpnVu6g7koY3ugeznEJe7qUR15EvYW/VI3eg
> + xKTmqk95+oNEySR+WcKajv59u01j6FoaD0ALN5rJEVv1AlG0NJryjIlevW1AGVUw
> + tXG2HJz0zmFX99hIV7RMntZIez2cw+VaojLluHlTdngI9y7LemoLQPrxwKjwCV0+
> + U3waJhpKV2bFjfqhbcuahifjAFIFA8ghhfbuzfq/y7O8yD25fSE22fU
> + F0+8ehuNv2M13gATPhUrNtQDo0wSzPaO//Bpei+QT1ulVSMQGveVkVdRH1wHWvPg
> + AzDVi/HmsVvZa0SBKwuZP4WnVdfuiIyX0frWpGirltPny9BkuM3GSBsa2Oz/f2XS
> + OEVW1xUT+WFUc55x7rVDvy8WPFSUYL7hFQDJmr2VZC2QJi1W2jVcsAcaAswDo3RE
> + +3vjawQ1S/p5Sh2UX1XCel+HP5X9mR/3HlPV1EsZ9rwz9mnl2GhQYQ==
>   -----END RSA PRIVATE KEY-----"
> 
> I would love to remove everything " " and display set private-key " ***
> removed *** ".
> 
> Thanks
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Stephen Flanagan | 1 Mar 16:43 2010

[rancid] Extreme Xos issues

Has anyone been able to make the configuration file on an XOS switch work with the missing EOF marker? I am having trouble getting it to work.

 

 

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Henrik | 1 Mar 11:13 2010
Picon

[rancid] Extreme networks

Hi !

I cant get my extreme networks switches to work with tacacs+

When I get into the switch I only get USER status

Is there something I have missed. ??

Gratefull for help

Attachment (winmail.dat): application/ms-tnef, 4576 bytes
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
john heasley | 1 Mar 19:01 2010
Picon

[rancid] Re: fortigate issues

Mon, Mar 01, 2010 at 04:22:29PM +0100, Diego Ercolani:
> I had today your issue, I've solved with a reboot process of the fortigate 
> appliance....
> rancid (with my patches) simple asks fortinet a dump of the configuration 
> without making bautifying or indent of the configuration dump.
> for the certificate/private key and others, you have to modify the source 
> removing things multiline....
> The main loop where these things are done start at line 176 of fnrancid, but 
> as you see it's very simple and remove only the one-line things matching a tag 
> on the line. You have to create a more sophisticated implementation subroutine 
> that process multiline input at a time e manage exceptions.
> 
> In the same loop I think it's possible to manage issue like more spaces added, 
> but what I saw in my today situation is that sometimes fortigate give the 
> configurations breaking commands with a line feed without any kind of rule 
> eg.... I saw something like:
> 
> retrieving revision 1.1969
> diff -U 4 -r1.1969 fortifw
>  <at>  <at>  -51,9 +51,9  <at>  <at> 
>       set daily-restart disable
>       set detection-summary enable
>       set dst enable
>       set failtime 5
> -      set fds-statistics enable
> +    set fds-stat
> +      istics enable
>       set forticlient-portal-port 8009
>       set fsae-burst-size 300
>       set fsae-rate-limit 100

most likely a side effect of the pager.  nlogin uses 'set console page 0'
to disable the pager.  does this command not work on the fortigate?

> ...this isn't foreseenable, don't you think?
> 
> In data luned? 1 marzo 2010 14:59:56, Rodo Bibi ha scritto:
> : > Hey rancid community
> > 
> > I am working with fortigate 1000A and I have 2 issues I am sure you can
> > help me with.
> > 
> > At each rancid backup I receive an email with configuration changes.
> > 
> > First problem :
> > 
> > retrieving revision 1.1969
> > diff -U 4 -r1.1969 fortifw
> >  <at>  <at>  -51,9 +51,9  <at>  <at> 
> >       set daily-restart disable
> >       set detection-summary enable
> >       set dst enable
> >       set failtime 5
> > -      set fds-statistics enable
> > +    set fds-statistics enable
> >       set forticlient-portal-port 8009
> >       set fsae-burst-size 300
> >       set fsae-rate-limit 100
> > 
> > See, the set fds-statistics enable is removed then added. How can I get rid
> > of this ?
> > 
> > 
> > Second problem :
> > 
> > The display of the private key changes at each backup :

one would think that key should be static.  maybe it rekeys on some
schedule?  what is it used for?  are there multiple private keys in
the config?

> > +         set private-key "-----BEGIN RSA PRIVATE KEY-----
> >   Proc-Type: 4,ENCRYPTED
> > - DEK-Info: DES-EDE3-CBC,3C07324ADB7623412
> > - M1/T1PrO+n8oX1E2Fks46mI6zF3R99g3ulhR9jfXi1zdjYrfEfmz8eIbV0lrECoo
> > - P6DKRBUUJw9p4OPitm1XpIG5SXQSLWjV9GOWeFhsiAWDZrnONzWSkuiunXxu3W3D
> > - BIw4fCC+HXRs1wUHhTf0XWzpbO0pmWfHWcCv8D3jKLXdchGI/5jKyfsVAgv5TT6Q
> > - A40sI463M4xBl2RzNBNvxSF1yrpDdA454W0B4y8uSHLQg0Q94fGiprLpUO9S2NFI
> > - QUKJGqAhNrwGbFCmm7NQxeEbdbJnzJ77rxYjm3+VQaEsPkuKU32DgQTP1uJIxTeB
> > - WM8F30XrOqj6/esxqqL8TZl4uYySJZtR2SVjlhdVlg7zCQSZV3ZbgK7zR5lT3+aK
> > - rUGg3DEiA8ajHxv44QsUutwhSrubreCkaHkRI1VxZpeOroa2x6t8bN/XcvPCWQEo
> > - Y1yXEn7iR3LZxbE5retft+UBhcBs0Xm55vBMGeyNhzkalQveSJ1Bn7A5lLrII8Hy
> > - YlozkgkbzsRsWNFQKFUWGNQR56432IHGWOVDSBQGE5py0Wk1qq+bOQq5T
> > - ySWSKQDdDv3rS2OU3aulmcXvzs+pmLqYHQG6m8vQm0/7EhKEKa2UK2M5Nx4SOLdI
> > - 94iOYWFrJ5SJcIgA3TKaQVpHTEjsSncPVlUu4sBxm3kTQOK5bE52aw==
> > + DEK-Info: DES-EDE3-CBC,B69D648DD9C5C8D
> > + bAAaqPBUPN3p3MkBtkfZ9rCk18Fda5hppgZbInsTBioCajUeewzXOFqLsPBmP4qD
> > + oKakQ9QAt9d4W7SYmRvSWM7kWluOlQDXYOX3NImoYYmF/iCP6sS+mopih5PAy4na
> > + 9Jxe5m5Cb6USdafrSjHqaOQjlXOIGo7vCvs3LyXOhBA2mw1QTJyYPK5ZDiqx+edt
> > + Qqs4EIF8PgzSug2yQmkXu1YeuLaUtpnVu6g7koY3ugeznEJe7qUR15EvYW/VI3eg
> > + xKTmqk95+oNEySR+WcKajv59u01j6FoaD0ALN5rJEVv1AlG0NJryjIlevW1AGVUw
> > + tXG2HJz0zmFX99hIV7RMntZIez2cw+VaojLluHlTdngI9y7LemoLQPrxwKjwCV0+
> > + U3waJhpKV2bFjfqhbcuahifjAFIFA8ghhfbuzfq/y7O8yD25fSE22fU
> > + F0+8ehuNv2M13gATPhUrNtQDo0wSzPaO//Bpei+QT1ulVSMQGveVkVdRH1wHWvPg
> > + AzDVi/HmsVvZa0SBKwuZP4WnVdfuiIyX0frWpGirltPny9BkuM3GSBsa2Oz/f2XS
> > + OEVW1xUT+WFUc55x7rVDvy8WPFSUYL7hFQDJmr2VZC2QJi1W2jVcsAcaAswDo3RE
> > + +3vjawQ1S/p5Sh2UX1XCel+HP5X9mR/3HlPV1EsZ9rwz9mnl2GhQYQ==
> >   -----END RSA PRIVATE KEY-----"
> > 
> > I would love to remove everything " " and display set private-key " ***
> > removed *** ".
> > 
> > Thanks
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss <at> shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Lance Vermilion | 1 Mar 19:10 2010
Picon

[rancid] Re: Dedicated nixrancid using clogin...anyone interested

Charles,

I hope to actually put some structured code together in the next 5-8
days (before I leave on my honeymoon). I first have to take care of
some higher priority issues here. I will share what I come up with.
Stay tuned.

-lance

On Fri, Feb 26, 2010 at 5:57 PM, Charles Tompkins
<thecomputerking <at> gmail.com> wrote:
> I am interested and condisidering a rancid deployment for change management
> on server files ATM; I am interested in seeing your work.
>
> I can see nixcollect.db using some additional variability or versions to
> accomodate other system flavors for all the different paths to etc, not to
> mention multiple paths to applications like src-installed (/usr/local/etc)
> vs. maintained packages (/etc) or even /opt.
>
> nixcollect_redhat.db
> nixcollect_debuntu.db
> nixcollect_solaris.db
> . . .
>
> Maybe set your path to etc/ as a variable for the firsthalf of the object
> and rely on your object definition to supply the secondhalf to get to the
> file.
>
> Regards,
> -Charles
>
>
>
> On Feb 26, 2010, at 2:32 PM, Lance Vermilion <rancid <at> gheek.net> wrote:
>
>> All,
>>
>> I have been thinking. I don't want to go and add something like
>> cfengine or anything else to my existing set of tools. I do want to
>> collect some information and save it, namely files that wouldn't be
>> changing frequently and since I use OpenNMS which has RANCID tied to
>> it already this is a valuable add for me. All I need to do is add a
>> new platform nix that points to nixrancid that uses a slightly
>> modified clogin (to skip sending "term length 0") and then I can
>> capture all sorts of important bits of info on *nix machines. Right
>> now I have played with Linux and I am having quite the success.
>>
>> I want to write a small addition to nixrancid that would then look at
>> an additional file called nixcollect.db. This would allow someone to
>> enable collection based on possible collection bits. So if the
>> platform type of nix was in router.db then nixrancid would look in
>> nixcollect.db  to figure out what files to screen scrape.
>>
>> Please let me know if anyone else would be interested in the work I will
>> do.
>>
>> Currently I am thinking to capture a few things.
>>
>> #key files in /etc/
>> /etc/passwd
>> /etc/profile
>> /etc/bashrc
>> /etc/group
>> /etc/sudoers
>> /etc/modprobe
>> /etc/aliases
>> /etc/crontab
>> /etc/grub.conf
>> /etc/shadow
>> /etc/hosts
>> /etc/hosts.allow
>> /etc/hosts.deny
>> /etc/host.conf
>> /etc/multipath.conf
>> /etc/resolv.conf
>> /etc/securetty
>> /etc/services
>> /etc/updatedb.conf
>> /etc/sysctl.conf
>> /etc/inittab
>> /etc/initlog.conf
>> /etc/login.defs
>> /etc/logrotate.conf
>> /etc/logrotate.d/*
>>
>> #syslogd
>> /etc/syslog.conf
>>
>> #syslog-ng
>> /etc/syslog-ng/*
>>
>> #java
>> /etc/java/*
>>
>> #security
>> /etc/security/*
>>
>> #drbd
>> /etc/drbd.conf
>>
>> #snmp
>> /etc/snmp/snmpd.conf
>> /etc/snmp/snmp.local.conf
>>
>> #tomcat
>> /etc/tomcat5/*
>> /etc/sysconfig/tomcat5/
>>
>> #yum/apt-get/etc
>> /etc/yum.conf
>> /etc/yum.repos.d/*.repo
>> /etc/yum/yum-updatesd.conf
>>
>> #ssh
>> /etc/ssh/*
>>
>> #selinux
>> /etc/selinux/config
>> <need to figure out what else really should be captured>
>>
>> #filesystem
>> /etc/fstab
>>
>> #INIT scripts
>> /etc/init.d/*
>>
>> #PAM
>> /etc/pan.d/*
>>
>> #databases - mysql/etc
>> /etc/my.cnf
>>
>> #DNS - bind/named
>> /etc/named.conf
>> /etc/named.caching-nameserver.conf
>> /etc/rfc1912.zones
>> /etc/sysconfig/named
>>
>> #iscsi
>> <need to determine what needs to be collected>
>>
>> #ntp
>> /etc/ntp.conf
>> /etc/ntp/ntpservers
>> /etc/ntp/keys
>> /etc/sysconfig/ntpd
>>
>> #security files - audit
>> /etc/audit/auditd.conf
>> /etc/audit/audit.rules
>> /etc/sysconfig/auditd
>>
>> #iptables
>> /etc/sysconfig/iptables-config
>> /etc/sysconfig/ip6tables-config
>>
>> #Heartbeat
>> /etc/ha.d/haresources
>> /etc/ha.d/ha.cf
>> /etc/ha.d/authkeys
>>
>> #sysconfig stuff
>> /etc/sysconfig/network
>> /etc/sysconfig/network-scripts/ifcfg-*
>> /etc/sysconfig/authconfig
>> /etc/sysconfig/clock
>> /etc/sysconfig/kernel
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss <at> shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Alex DEKKER | 1 Mar 21:33 2010

[rancid] Re: Dedicated nixrancid using clogin...anyone interested

On Friday 26 February 2010 19:32:58 Lance Vermilion wrote:

> Please let me know if anyone else would be interested in the work I will
>  do.

Yes, mainly because I've already got RANCID working with a variety of routers 
and switches, so this would make adding servers into the mix painless.

alexd
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Diego Ercolani | 1 Mar 22:32 2010
Picon

[rancid] Re: Dedicated nixrancid using clogin...anyone interested

You're welcome with these patches, if you think you can even start from my 
patches dated july 2009:

http://www.shrubbery.net/pipermail/rancid-discuss/2009-July/004036.html

where I also implemented an extension to the rancid .clogin configuration 
implementing multiline structure

In data lunedì 1 marzo 2010 19:10:21, Lance Vermilion ha scritto:
: > Charles,
> 
> I hope to actually put some structured code together in the next 5-8
> days (before I leave on my honeymoon). I first have to take care of
> some higher priority issues here. I will share what I come up with.
> Stay tuned.
> 
> -lance
> 
> On Fri, Feb 26, 2010 at 5:57 PM, Charles Tompkins
> 
> <thecomputerking <at> gmail.com> wrote:
> > I am interested and condisidering a rancid deployment for change
> > management on server files ATM; I am interested in seeing your work.
> >
> > I can see nixcollect.db using some additional variability or versions to
> > accomodate other system flavors for all the different paths to etc, not
> > to mention multiple paths to applications like src-installed
> > (/usr/local/etc) vs. maintained packages (/etc) or even /opt.
> >
> > nixcollect_redhat.db
> > nixcollect_debuntu.db
> > nixcollect_solaris.db
> > . . .
> >
> > Maybe set your path to etc/ as a variable for the firsthalf of the object
> > and rely on your object definition to supply the secondhalf to get to the
> > file.
> >
> > Regards,
> > -Charles
> >
> > On Feb 26, 2010, at 2:32 PM, Lance Vermilion <rancid <at> gheek.net> wrote:
> >> All,
> >>
> >> I have been thinking. I don't want to go and add something like
> >> cfengine or anything else to my existing set of tools. I do want to
> >> collect some information and save it, namely files that wouldn't be
> >> changing frequently and since I use OpenNMS which has RANCID tied to
> >> it already this is a valuable add for me. All I need to do is add a
> >> new platform nix that points to nixrancid that uses a slightly
> >> modified clogin (to skip sending "term length 0") and then I can
> >> capture all sorts of important bits of info on *nix machines. Right
> >> now I have played with Linux and I am having quite the success.
> >>
> >> I want to write a small addition to nixrancid that would then look at
> >> an additional file called nixcollect.db. This would allow someone to
> >> enable collection based on possible collection bits. So if the
> >> platform type of nix was in router.db then nixrancid would look in
> >> nixcollect.db  to figure out what files to screen scrape.
> >>
> >> Please let me know if anyone else would be interested in the work I will
> >> do.
> >>
> >> Currently I am thinking to capture a few things.
> >>
> >> #key files in /etc/
> >> /etc/passwd
> >> /etc/profile
> >> /etc/bashrc
> >> /etc/group
> >> /etc/sudoers
> >> /etc/modprobe
> >> /etc/aliases
> >> /etc/crontab
> >> /etc/grub.conf
> >> /etc/shadow
> >> /etc/hosts
> >> /etc/hosts.allow
> >> /etc/hosts.deny
> >> /etc/host.conf
> >> /etc/multipath.conf
> >> /etc/resolv.conf
> >> /etc/securetty
> >> /etc/services
> >> /etc/updatedb.conf
> >> /etc/sysctl.conf
> >> /etc/inittab
> >> /etc/initlog.conf
> >> /etc/login.defs
> >> /etc/logrotate.conf
> >> /etc/logrotate.d/*
> >>
> >> #syslogd
> >> /etc/syslog.conf
> >>
> >> #syslog-ng
> >> /etc/syslog-ng/*
> >>
> >> #java
> >> /etc/java/*
> >>
> >> #security
> >> /etc/security/*
> >>
> >> #drbd
> >> /etc/drbd.conf
> >>
> >> #snmp
> >> /etc/snmp/snmpd.conf
> >> /etc/snmp/snmp.local.conf
> >>
> >> #tomcat
> >> /etc/tomcat5/*
> >> /etc/sysconfig/tomcat5/
> >>
> >> #yum/apt-get/etc
> >> /etc/yum.conf
> >> /etc/yum.repos.d/*.repo
> >> /etc/yum/yum-updatesd.conf
> >>
> >> #ssh
> >> /etc/ssh/*
> >>
> >> #selinux
> >> /etc/selinux/config
> >> <need to figure out what else really should be captured>
> >>
> >> #filesystem
> >> /etc/fstab
> >>
> >> #INIT scripts
> >> /etc/init.d/*
> >>
> >> #PAM
> >> /etc/pan.d/*
> >>
> >> #databases - mysql/etc
> >> /etc/my.cnf
> >>
> >> #DNS - bind/named
> >> /etc/named.conf
> >> /etc/named.caching-nameserver.conf
> >> /etc/rfc1912.zones
> >> /etc/sysconfig/named
> >>
> >> #iscsi
> >> <need to determine what needs to be collected>
> >>
> >> #ntp
> >> /etc/ntp.conf
> >> /etc/ntp/ntpservers
> >> /etc/ntp/keys
> >> /etc/sysconfig/ntpd
> >>
> >> #security files - audit
> >> /etc/audit/auditd.conf
> >> /etc/audit/audit.rules
> >> /etc/sysconfig/auditd
> >>
> >> #iptables
> >> /etc/sysconfig/iptables-config
> >> /etc/sysconfig/ip6tables-config
> >>
> >> #Heartbeat
> >> /etc/ha.d/haresources
> >> /etc/ha.d/ha.cf
> >> /etc/ha.d/authkeys
> >>
> >> #sysconfig stuff
> >> /etc/sysconfig/network
> >> /etc/sysconfig/network-scripts/ifcfg-*
> >> /etc/sysconfig/authconfig
> >> /etc/sysconfig/clock
> >> /etc/sysconfig/kernel
> >> _______________________________________________
> >> Rancid-discuss mailing list
> >> Rancid-discuss <at> shrubbery.net
> >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> 
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss <at> shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> 
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Mohacsi Janos | 2 Mar 10:04 2010
Picon

[rancid] rancid 2.3.3 announced?

Dear Maintainers,
 	Did you release officially the rancid 2.3.3? I see distribution 
tar on the ftp site.
 	Best Regards,

Janos Mohacsi
Head of HBONE+ project
Network Engineer, Deputy Director of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Diego Ercolani | 2 Mar 16:36 2010
Picon

[rancid] Re: fortigate issues

I see the problem near line 590 of fnlogin procedure
           -re "$prompt"                       {  send "\r"
                                                       sleep 0.5

if I invert sleep 0.5 with send "\r"
the difference come up in other places...

for the certificates, in my rancid installation certificates didn't vary from 
one query to another I don't know why as if I ask fortinet with "show full-
configuration", certificates vary from one query to the other
....

 
In data lunedì 1 marzo 2010 18:16:21, hai scritto:
> Yes one line is easy to remove but I need to remove the complete
> certificate block.
> 
> Maybe with a line counter from the moment I match the "set private-key" tag
> 
> Thanks for your help
> 
> Le 1 mars 2010 à 16:22, Diego Ercolani a écrit :
> > I had today your issue, I've solved with a reboot process of the
> > fortigate appliance....
> > rancid (with my patches) simple asks fortinet a dump of the configuration
> > without making bautifying or indent of the configuration dump.
> > for the certificate/private key and others, you have to modify the source
> > removing things multiline....
> > The main loop where these things are done start at line 176 of fnrancid,
> > but as you see it's very simple and remove only the one-line things
> > matching a tag on the line. You have to create a more sophisticated
> > implementation subroutine that process multiline input at a time e
> > manage exceptions.
> > 
> > In the same loop I think it's possible to manage issue like more spaces
> > added, but what I saw in my today situation is that sometimes fortigate
> > give the configurations breaking commands with a line feed without any
> > kind of rule eg.... I saw something like:
> > 
> > retrieving revision 1.1969
> > diff -U 4 -r1.1969 fortifw
> >  <at>  <at>  -51,9 +51,9  <at>  <at> 
> > 
> >      set daily-restart disable
> >      set detection-summary enable
> >      set dst enable
> >      set failtime 5
> > 
> > -      set fds-statistics enable
> > +    set fds-stat
> > +      istics enable
> > 
> >      set forticlient-portal-port 8009
> >      set fsae-burst-size 300
> >      set fsae-rate-limit 100
> > 
> > ...this isn't foreseenable, don't you think?
> > 
> > In data lunedì 1 marzo 2010 14:59:56, Rodo Bibi ha scritto:
> > : > Hey rancid community
> >> 
> >> I am working with fortigate 1000A and I have 2 issues I am sure you can
> >> help me with.
> >> 
> >> At each rancid backup I receive an email with configuration changes.
> >> 
> >> First problem :
> >> 
> >> retrieving revision 1.1969
> >> diff -U 4 -r1.1969 fortifw
> >>  <at>  <at>  -51,9 +51,9  <at>  <at> 
> >> 
> >>      set daily-restart disable
> >>      set detection-summary enable
> >>      set dst enable
> >>      set failtime 5
> >> 
> >> -      set fds-statistics enable
> >> +    set fds-statistics enable
> >> 
> >>      set forticlient-portal-port 8009
> >>      set fsae-burst-size 300
> >>      set fsae-rate-limit 100
> >> 
> >> See, the set fds-statistics enable is removed then added. How can I get
> >> rid of this ?
> >> 
> >> 
> >> Second problem :
> >> 
> >> The display of the private key changes at each backup :
> >> 
> >> +         set private-key "-----BEGIN RSA PRIVATE KEY-----
> >> 
> >>  Proc-Type: 4,ENCRYPTED
> >> 
> >> - DEK-Info: DES-EDE3-CBC,3C07324ADB7623412
> >> - M1/T1PrO+n8oX1E2Fks46mI6zF3R99g3ulhR9jfXi1zdjYrfEfmz8eIbV0lrECoo
> >> - P6DKRBUUJw9p4OPitm1XpIG5SXQSLWjV9GOWeFhsiAWDZrnONzWSkuiunXxu3W3D
> >> - BIw4fCC+HXRs1wUHhTf0XWzpbO0pmWfHWcCv8D3jKLXdchGI/5jKyfsVAgv5TT6Q
> >> - A40sI463M4xBl2RzNBNvxSF1yrpDdA454W0B4y8uSHLQg0Q94fGiprLpUO9S2NFI
> >> - QUKJGqAhNrwGbFCmm7NQxeEbdbJnzJ77rxYjm3+VQaEsPkuKU32DgQTP1uJIxTeB
> >> - WM8F30XrOqj6/esxqqL8TZl4uYySJZtR2SVjlhdVlg7zCQSZV3ZbgK7zR5lT3+aK
> >> - rUGg3DEiA8ajHxv44QsUutwhSrubreCkaHkRI1VxZpeOroa2x6t8bN/XcvPCWQEo
> >> - Y1yXEn7iR3LZxbE5retft+UBhcBs0Xm55vBMGeyNhzkalQveSJ1Bn7A5lLrII8Hy
> >> - YlozkgkbzsRsWNFQKFUWGNQR56432IHGWOVDSBQGE5py0Wk1qq+bOQq5T
> >> - ySWSKQDdDv3rS2OU3aulmcXvzs+pmLqYHQG6m8vQm0/7EhKEKa2UK2M5Nx4SOLdI
> >> - 94iOYWFrJ5SJcIgA3TKaQVpHTEjsSncPVlUu4sBxm3kTQOK5bE52aw==
> >> + DEK-Info: DES-EDE3-CBC,B69D648DD9C5C8D
> >> + bAAaqPBUPN3p3MkBtkfZ9rCk18Fda5hppgZbInsTBioCajUeewzXOFqLsPBmP4qD
> >> + oKakQ9QAt9d4W7SYmRvSWM7kWluOlQDXYOX3NImoYYmF/iCP6sS+mopih5PAy4na
> >> + 9Jxe5m5Cb6USdafrSjHqaOQjlXOIGo7vCvs3LyXOhBA2mw1QTJyYPK5ZDiqx+edt
> >> + Qqs4EIF8PgzSug2yQmkXu1YeuLaUtpnVu6g7koY3ugeznEJe7qUR15EvYW/VI3eg
> >> + xKTmqk95+oNEySR+WcKajv59u01j6FoaD0ALN5rJEVv1AlG0NJryjIlevW1AGVUw
> >> + tXG2HJz0zmFX99hIV7RMntZIez2cw+VaojLluHlTdngI9y7LemoLQPrxwKjwCV0+
> >> + U3waJhpKV2bFjfqhbcuahifjAFIFA8ghhfbuzfq/y7O8yD25fSE22fU
> >> + F0+8ehuNv2M13gATPhUrNtQDo0wSzPaO//Bpei+QT1ulVSMQGveVkVdRH1wHWvPg
> >> + AzDVi/HmsVvZa0SBKwuZP4WnVdfuiIyX0frWpGirltPny9BkuM3GSBsa2Oz/f2XS
> >> + OEVW1xUT+WFUc55x7rVDvy8WPFSUYL7hFQDJmr2VZC2QJi1W2jVcsAcaAswDo3RE
> >> + +3vjawQ1S/p5Sh2UX1XCel+HP5X9mR/3HlPV1EsZ9rwz9mnl2GhQYQ==
> >> 
> >>  -----END RSA PRIVATE KEY-----"
> >> 
> >> I would love to remove everything " " and display set private-key " ***
> >> removed *** ".
> >> 
> >> Thanks
> > 
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss <at> shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss <at> shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


Gmane