[rancid] Rancid for firewall configuration auditing

Buchan Milne bgmilne at staff.telkomsa.net
Tue Jul 29 15:53:37 UTC 2008

We currently use rancid mainly for network device revision control.

We will soon be taking over management of some Cisco-base firewalls, and we 
would like to have some kind of configuration auditing. The aim of the 
auditing is to be able to prove the origin of an individual firewall rule.

The way I envisage doing this is with 'cvs annotate' or similar (e.g. with 
cvsweb or viewvc), so an auditor could see an annotated version of any 
revision of the firewall configuration, click on the link next to the line of 
interest, and see the change number that implemented that line of the 
configuration (from which we can find the firewall request or other motivation 
for modifying the access).

To accomplish this, I just need to have a custom commit message.

I tested briefly by abusing the -m option to rancid-run, but I would prefer 
not to send spurious emails, as follows:

$ sudo -H -u rancid /usr/lib64/rancid/bin/rancid-run -r 
devicename -m 'sudoCOXXXXXX'

Which mostly gives the desired behaviour (at least on the cvs side).

Also, I would prefer to get the username (well, $SUDO_USER) in as the author, 
but I guess that is more of a permissions issue than anything else.

So, is would there be any interest in adding a command-line option for a 
custom commit message? If so, I am prepared to do the changes and submit a 


(BTW, I also packaged rancid for Mandriva, rancid is available in the 
'contrib' section of Mandriva 2007.0 and later)

More information about the Rancid-discuss mailing list