[rancid] Rancid for firewall configuration auditing
Buchan Milne
bgmilne at staff.telkomsa.net
Tue Jul 29 15:53:37 UTC 2008
We currently use rancid mainly for network device revision control.
We will soon be taking over management of some Cisco-base firewalls, and we
would like to have some kind of configuration auditing. The aim of the
auditing is to be able to prove the origin of an individual firewall rule.
The way I envisage doing this is with 'cvs annotate' or similar (e.g. with
cvsweb or viewvc), so an auditor could see an annotated version of any
revision of the firewall configuration, click on the link next to the line of
interest, and see the change number that implemented that line of the
configuration (from which we can find the firewall request or other motivation
for modifying the access).
To accomplish this, I just need to have a custom commit message.
I tested briefly by abusing the -m option to rancid-run, but I would prefer
not to send spurious emails, as follows:
$ sudo -H -u rancid /usr/lib64/rancid/bin/rancid-run -r
devicename -m 'sudoCOXXXXXX'
Which mostly gives the desired behaviour (at least on the cvs side).
Also, I would prefer to get the username (well, $SUDO_USER) in as the author,
but I guess that is more of a permissions issue than anything else.
So, is would there be any interest in adding a command-line option for a
custom commit message? If so, I am prepared to do the changes and submit a
patch.
Regards,
Buchan
(BTW, I also packaged rancid for Mandriva, rancid is available in the
'contrib' section of Mandriva 2007.0 and later)
More information about the Rancid-discuss
mailing list