[rancid] Securing RANCID installation
Daniel Anderson
dan.w.anderson at gmail.com
Tue Dec 16 20:30:12 UTC 2014
I would also recommend configuring/using a dedicated network (TACACS/RADIUS) account that only has permissions to run the commands that RANCID uses so that if someone does get the .cloginrc file somehow that it's harder for them to make config changes on the devices.
--
Dan
> On Dec 16, 2014, at 2:55 PM, Alan McKinnon <alan.mckinnon at gmail.com> wrote:
>
>> On 16/12/2014 16:43, Jason Humes wrote:
>> Hi
>> Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc.
>>
>> Thanks for any advice! :)
>
>
> Others have explained well how to secure the data rancid produces to
> avoid information leakage.
>
> I would add that protecting .cloginrc is very very important as it
> contains login and enable passwords for the admin account on all your
> network devices.
>
> Make sure that only authorized sysadmins have login access to the rancid
> host, and that the rancid user's home directory is set with very
> restricted permissions (assuming a user called rancid):
>
> chown -R rancid ~rancid
> chmod -R go-rwx ~rancid
>
>
> Considering what can happen if .cloginrc leaks, it's a good idea to run
> rancid on a dedicated single-purpose host. Rancid is very light on
> resources, a basic VM with 1 cpu and 512M RAM does the job admirably
>
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
More information about the Rancid-discuss
mailing list