summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am1
-rw-r--r--etc/bash_completion.d/vyatta-op7
-rw-r--r--scripts/vyos-strip-config.pl165
3 files changed, 172 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index 2d290d2..04c7d01 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -50,6 +50,7 @@ bin_SCRIPTS += scripts/vyatta-monitor-background
bin_SCRIPTS += scripts/vyatta-monitor-background-stop
bin_SCRIPTS += scripts/vyatta-monitor-check-rule-log
bin_SCRIPTS += scripts/vyos-show-ram.sh
+bin_SCRIPTS += scripts/vyos-strip-config.pl
sbin_SCRIPTS = scripts/dhcpv6-client-show-leases.pl
sbin_SCRIPTS += scripts/vyatta-image-tools.pl
diff --git a/etc/bash_completion.d/vyatta-op b/etc/bash_completion.d/vyatta-op
index c59df65..e61c5da 100644
--- a/etc/bash_completion.d/vyatta-op
+++ b/etc/bash_completion.d/vyatta-op
@@ -492,6 +492,11 @@ no-more ()
cat
}
+strip-private ()
+{
+ ${vyatta_bindir}/vyos-strip-config.pl --strict --stdin
+}
+
# pipe command help
# $1: command
_vyatta_pipe_help ()
@@ -527,7 +532,7 @@ _vyatta_do_pipe_help ()
_vyatta_pipe_completion ()
{
local -a pipe_cmd=()
- local -a all_cmds=( 'count' 'match' 'no-match' 'more' 'no-more' )
+ local -a all_cmds=( 'count' 'match' 'no-match' 'more' 'no-more' 'strip-private' )
local found=0
_vyatta_pipe_completions=()
_vyatta_pipe_noncompletions=()
diff --git a/scripts/vyos-strip-config.pl b/scripts/vyos-strip-config.pl
new file mode 100644
index 0000000..ad00a5b
--- /dev/null
+++ b/scripts/vyos-strip-config.pl
@@ -0,0 +1,165 @@
+#!/usr/bin/perl
+#
+# Removes private information from Vyatta config files.
+#
+# Copyright (C) 2011 Daniil Baturin <daniil@baturin.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+# of the Software, and to permit persons to whom the Software is furnished to do
+# so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+use strict;
+use Getopt::Long;
+
+sub help {
+ my $msg = <<EOL;
+Strips off private information from Vyatta configs.
+
+Usage: $0 </path/to/config>
+ $0 --stdin < </path/to/config> (or "cat /path/to/config | $0 --stdin")
+
+Options:
+--stdin Read config from standard input
+
+--strict Remove any private information (see details in options below).
+ This is default behavior.
+
+--loose Remove only information specified in options below
+
+--address Strip off IPv4 and IPv6 addresses
+--mac Strip off MAC addresses
+--domain Strip off domain names
+--hostname Strip off system host and domain names
+--username Strip off user names
+--dhcp Strip off DHCP shared network and static mapping names
+--asn Strip off BGP ASNs
+--lldp Strip off LLDP location information
+--snmp Strip off SNMP location information
+
+EOL
+ print $msg;
+}
+
+my $inputFile = undef;
+my $stdin = undef;
+my $strict = 1;
+my $loose = undef;
+my $stripIP = undef;
+my $stripDomains = undef;
+my $stripHostname = undef;
+my $stripUsernames = undef;
+my $stripDHCP = undef;
+my $stripMAC = undef;
+my $stripOvpnSecrets = undef;
+my $stripASN = undef;
+my $stripLLDP = undef;
+my $stripSNMP = undef;
+my $keepPasswords = undef;
+my $input = undef;
+
+GetOptions(
+ "stdin" => \$stdin,
+ "loose" => \$loose,
+ "strict" => \$strict,
+ "address" => \$stripIP,
+ "domain" => \$stripDomains,
+ "hostname" => \$stripHostname,
+ "username" => \$stripUsernames,
+ "mac" => \$stripMAC,
+ "dhcp" => \$stripDHCP,
+ "openvpn" => \$stripOvpnSecrets,
+ "asn" => \$stripASN,
+ "lldp" => \$stripLLDP,
+ "snmp" => \$stripSNMP,
+ "keep-passwords" => \$keepPasswords
+);
+
+$strict = 0 if $loose;
+
+if ($strict) {
+ $stripIP = 1;
+ $stripDomains = 1;
+ $stripHostname = 1;
+ $stripUsernames = 1;
+ $stripDHCP = 1;
+ $stripMAC = 1;
+ $stripOvpnSecrets = 1;
+ $stripASN = 1;
+ $stripLLDP = 1;
+ $stripSNMP = 1;
+}
+
+## Get config
+
+$inputFile = @ARGV[0];
+
+if ($stdin) {
+ while (<>) {
+ $input .= $_;
+ }
+} elsif ($inputFile) {
+ open (HANDLE, "<$inputFile") or die "Can not open config file $inputFile";
+ while (<HANDLE>) {
+ $input .= $_;
+ }
+ close (HANDLE) or die $!;
+} else {
+ help();
+ exit(0);
+}
+
+## Everybody stand back, I know regular expressions
+
+# Strip passwords
+$input =~ s/password \S+/password xxxxxx/g if !($keepPasswords);
+
+# Strip MAC addresses
+$input =~ s/([0-9A-F]{2}\:){3}([0-9A-F]{2}((\:{0,1})){3})/XX:XX:XX:$2/gi if $stripMAC;
+
+# Strip IPv4 addresses
+$input =~ s/\d+\.\d+\.(\d+)\.(\d+)/xxx.xxx.$1.$2/g if $stripIP;
+
+# Strip IPv6 addresses
+$input =~ s/ (([0-9a-f]{1,4}\:){2})(\S+)/ xxxx:xxxx:$3/gi if $stripIP;
+
+# Strip host-name, domain-name, and domain-search
+$input =~ s/(host-name|domain-name|domain-search) \S+/$1 xxxxxx/g if $stripHostname;
+
+# Strip user-names
+$input =~ s/(user|username|user-id|login|full-name) \S+/$1 xxxxxx/g if $stripUsernames;
+
+# Strip DHCP static-mapping and shared network names
+$input =~ s/(shared-network-name|static-mapping) \S+/$1 xxxxxx/g if $stripDHCP;
+
+# Strip host/domain names
+$input =~ s/ (peer|remote-host|local-host|server) ([\w-]+\.)+[\w-]+/ $1 xxxxx.tld/g if $stripDomains;
+
+# Strip OpenVPN secrets
+$input =~ s/(shared-secret-key-file|ca-cert-file|cert-file|dh-file|key-file|client) (\S+)/$1 xxxxxx/g if $stripOvpnSecrets;
+
+# Strip BGP ASNs
+$input =~ s/(bgp|remote-as) (\d+)/$1 XXXXXX/g if $stripASN;
+
+# Strip LLDP location parameters
+$input =~ s/(altitude|datum|latitude|longitude|ca-value|country-code) (\S+)/$1 xxxxxx/g if $stripLLDP;
+
+# Strip SNMP location
+$input =~ s/(location) \S+/$1 xxxxxx/g if $stripSNMP;
+
+print $input;
+
+exit(0);