[rancid] Securing RANCID installation

Hughes, Doug Douglas.Hughes at DEShawResearch.com
Tue Dec 16 14:58:55 UTC 2014

1) rancid already eliminates the passwords from the configs - that's pretty significant
2) define a rancid group. 
3) make a rancid user that is part of that group
4) make the rancid writable directories be chmod g+s for that group, and make the umask 022 to prevent other people from reading the files (if so inclined - depending on your security needs)

Optionally, store the versioned configs in a repository with restricted permissions for view (e.g. git+gerrit or just git or perforce or whatever) or use a local repository (again git, svn, cvs, whatever) that has permissions for the rancid group. If you use a web server that diffs these things for quick visual, colorized config audits, make sure you protect that with the same level of permissions. Define passwords or http access lists or whatever according to your needs.

-----Original Message-----
From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Jason Humes
Sent: Tuesday, December 16, 2014 9:43 AM
To: rancid-discuss at shrubbery.net
Subject: [rancid] Securing RANCID installation

Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc.

Thanks for any advice! :)



Rancid-discuss mailing list
Rancid-discuss at shrubbery.net

More information about the Rancid-discuss mailing list