integration of security enhancement patch
john heasley
heas at shrubbery.net
Wed Jan 7 04:03:16 UTC 2004
Tue, Jan 06, 2004 at 04:22:18PM +1100, Andrew Fort:
> On 5/01/2004 9:20 PM, Erik Wenzel wrote:
>
> >On Fri, Jan 02, 2004 at 01:34:56PM -0500, Joshua Wright wrote:
> >[...]
> >
> >
> >>Changing RANCID to perform "show startup-config" instead of a running
> >>configuration is "a bad idea" (tm). If an attacker were able to
> >>compromise your router and make changes to the configuration, RANCID
> >>in its current state will identify the changes and let you know about
> >>it. If RANCID used "show startup-config" instead, you would be
> >>unaware of the changes until they were saved. The running
> >>configuration is a better reflection of the state of the router.
> >>
> >>
> >Using Rancid to check if an attacker is compromising your routers is
> >only possible if only one person is having write access. If you have
> >a colleague you are not able to distinguish configuration changes coming
> >from your colleague or an attacker. So, using RANCID for that purpose is
> >one thing. On the other Hand is the purpose of having backups for desaster
> >recovery and for that I can't see a reason to prefer one of the other.
> >In a production environment I concider it "a bad idea (TM)" to have a
> >difference between both configurations.
> >
> >
> >
>
> I think you both have a point worthy of argument, but noone wins
> arguments. There's no reason why the site administrator can't do this
> locally, nor why it could not be a configuration (bin/env) variable.
> The quick hack I just did to do this is kinda ugly (rewrite both the
> %commands and @commands variables _entirely_, based on whether a ENV
> variable is set one way or another), so I wont submit it if there's a
> cleaner way to just re-write that last line. Can someone submit a
> cleaner method? (Default behaviour remains the same, i.e., if there's
> no variable in the bin/env file).
>
> What do other people think? I've often had people ask me "oh, why
> doesn't RANCID look at the startup config", and I've explained it as
> Joshua has, above, but Erik makes a good point, and this seems like
> something that should be decided by the administrator.
just want to add two bits to this.
1) "router has the canonical config", ie: what's in nvram is authoritative,
is a practice that most folks grow out of. you will eventually begin to
generate your configs and load those into nvram.
2) what i'd like to add for rancid 3.0 (or whatever) are boiler-plate device
types. for example, type "cisco" runs commands x, y, & z. but, a user
can define their own type, cisco-startup which might run x, y, z, & show
startup-config. not quite sure how to do that yet.
More information about the Rancid-discuss
mailing list