search

ytti / oxidized

Oxidized is a network device configuration backup tool. It's a RANCID replacement!
Apache License 2.0
2.82k stars 929 forks source link

Fortigate private-encryption-key value should be removed from config when remove_secret is set to true #3285

Closed ebarrett-Ocient closed 3 weeks ago

ebarrett-Ocient commented 1 month ago

The value of private-encryption-key in Fortigate config files changes frequently. Ideally, when remove_secret is set to true, Oxidized should remove this value from the downloaded configuration. This will result in Oxidized no longer identifying a configuration change every time the value of private-encryption-key is changed.

ebarrett-Ocient commented 1 month ago

I should also add I'm using the latest and greatest docker container image.

systeembeheerder commented 1 month ago

Is this the private-encryption-key you talk about?

Aren't you missing the point of Oxidized (config backup and versioning) if you encrypt a big part of your config first?

anyway, an example / snippet surely would help to add a filter for it in Oxidized.

ebarrett-Ocient commented 1 month ago

Yes, that's how you enable a private-encryption-key. Once it's been configured, you'll see it in the config Oxidized pulls down just before config system global:

# COMMAND: show | grep .
#config-version=FG200F-7.2.10-FW-build1706-240918:opmode=1:vdom=0:user=my_user
#conf_file_ver=<stripped>
#buildno=1706
#global_vdom=1
#private-encryption-key=<redacted>
config system global

Aren't you missing the point of Oxidized (config backup and versioning) if you encrypt a big part of your config first?

Are you suggesting to not set remove_secret to true? Oxidized is still able to manage the vast majority of my configuration. Since the Fortigate re-hashes all of its secrets, including the value of private-encryption-key, every few hours, it means that if I don't have remove_secret, it looks like my configuration is constantly changing. That means that when something breaks and I want to find out what I've changed recently, it's a lot easier to use Oxidized to find out exactly when the last actual configuration change was made if it ignores all of the secrets.

systeembeheerder commented 3 weeks ago

@ebarrett-Ocient could you test this patch?

Copy fortios.rb to ~/.config/oxidized/model/fortios.rb and restart oxidized.

ebarrett-Ocient commented 3 weeks ago

@systeembeheerder That did the trick!

+#private-encryption-key= <configuration removed>
robertcheramy commented 3 weeks ago

Closed by PR #3306