Discussion:
[rancid] Re: Need to know if mutiple usernames can be set in the.clogin file
Jayaraj, Chandrasekaran
2007-06-25 07:46:17 UTC
Permalink
Hi ,

Thanks for the swift response . We do have cisco tacacs installed using
ACS.

Even when we have that there may be multiple users who will be a part of
the authentication group who will actually have level 15 access .

So say for eg we have a group called noc-users and there are 3 users
namely user1 ,user2 ,user3 who will have privilege 15 access .

But currently my cloginrc file has the entry in below format

add user * user1 and

add password * testpwd enabletestpwd



So how can I check if I login as a user2 and do some change ?

Currently all I get from rancid is that a diff output mail with the
difference and no mention of the username doing the change .

So let me know if there is a way for this .

warm regards,
------------------------------------------------------------------------
-----
Chandrasekaran J

Senior Technical Analyst, Network Center of Excellence,
Network Services, Technology Production Services
------------------------------------------------------------------------
-----
-----Original Message-----
From: Shekhar Basnet [mailto:***@mos.com.np]
Sent: Monday, June 25, 2007 12:35 PM
To: Jayaraj, Chandrasekaran
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] Need to know if mutiple usernames can be set in
the.clogin file

Hi,

You'd need to use TACACS+ to find out who is doing what in your
routers/switches. You can download it from
http://www.shrubbery.net/tools.html

rgds,
shekhar.
Hi ,
I am a newcomer to RANCID and I find it an interesting tool .
I want to know how to use rancid for checking configuration changes
done by multiple users .
Currently I have 3 users in my router who have privilege access to my
routers and switches and rancid sends me the diff files of these 3
users .
However I am not able to find out which user has done the change via
the email sent by rancid . Any suggestions on how to find it out ?
warm regards,
------------------------------------------------------------------------
-----
Chandrasekaran J
This email is confidential. If you are not the addressee tell the sender immediately and destroy this email
without using, sending or storing it. Emails are not secure and may suffer errors, viruses, delay,
interception and amendment. Standard Chartered PLC and subsidiaries ("SCGroup") do not accept liability for
damage caused by this email and may monitor email traffic.
Jeffrey C. Ollie
2007-06-25 13:02:03 UTC
Permalink
Post by Jayaraj, Chandrasekaran
Thanks for the swift response . We do have cisco tacacs installed using
ACS.
Even when we have that there may be multiple users who will be a part of
the authentication group who will actually have level 15 access .
So say for eg we have a group called noc-users and there are 3 users
namely user1 ,user2 ,user3 who will have privilege 15 access .
So how can I check if I login as a user2 and do some change ?
Currently all I get from rancid is that a diff output mail with the
difference and no mention of the username doing the change .
RANCID cannot do what you ask. All that RANCID can do is give you a
summary of the changes made between two points in time, it cannot show
you who made those changes. It also cannot show you changes that were
made then unmade in between the times that RANCID scans your routers.

You need to enable command accounting on your router to get the kind of
information that you want:

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca5f1.html#xtocid183737

Jeff
Todd Heide
2007-06-25 13:18:34 UTC
Permalink
Setup a Tacacs+ server on the Rancid box. The one I use which has a nice
front end is found here, http://www.networkforums.net Once installed and
working it is easy to check the logs to see what has been done and by
whom.

Thanks
Todd Heide
Equivoice Inc.

CCNA CWLSS CS-CISecS
847-235-3308

Nothing ever goes as planned, Its a hell of a notion,
Even pharaohs turn to sand, Like a drop in the ocean
-----Original Message-----
From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Jeffrey C.
Ollie
Sent: Monday, June 25, 2007 8:02 AM
To: rancid-***@shrubbery.net
Subject: [rancid] Re: Need to know if mutiple usernames can be setin
the.clogin file
Post by Jayaraj, Chandrasekaran
Thanks for the swift response . We do have cisco tacacs installed
using
Post by Jayaraj, Chandrasekaran
ACS.
Even when we have that there may be multiple users who will be a part
of
Post by Jayaraj, Chandrasekaran
the authentication group who will actually have level 15 access .
So say for eg we have a group called noc-users and there are 3 users
namely user1 ,user2 ,user3 who will have privilege 15 access .
So how can I check if I login as a user2 and do some change ?
Currently all I get from rancid is that a diff output mail with the
difference and no mention of the username doing the change .
RANCID cannot do what you ask. All that RANCID can do is give you a
summary of the changes made between two points in time, it cannot show
you who made those changes. It also cannot show you changes that were
made then unmade in between the times that RANCID scans your routers.

You need to enable command accounting on your router to get the kind of
information that you want:

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1828/products
_configuration_guide_chapter09186a00800ca5f1.html#xtocid183737

Jeff
john heasley
2007-06-25 17:28:50 UTC
Permalink
Post by Jayaraj, Chandrasekaran
Hi ,
Thanks for the swift response . We do have cisco tacacs installed using
ACS.
Even when we have that there may be multiple users who will be a part of
the authentication group who will actually have level 15 access .
So say for eg we have a group called noc-users and there are 3 users
namely user1 ,user2 ,user3 who will have privilege 15 access .
But currently my cloginrc file has the entry in below format
add user * user1 and
add password * testpwd enabletestpwd
So how can I check if I login as a user2 and do some change ?
each user has their own HOME and $HOME/.cloginrc.
Post by Jayaraj, Chandrasekaran
Currently all I get from rancid is that a diff output mail with the
difference and no mention of the username doing the change .
The others are correct, there is no attribution and no way to be certain of
it without tacacs (or radius?) login and command accounting. You can further
associate specific changes with rancid by using SEC; see the rancid FAQ,
section 3 question 5. With the time from the accounting logs, you can
approximately determine the user; approximate because multiple change could
occur in the time taken for the collection.
Jeffrey C. Ollie
2007-06-25 18:22:11 UTC
Permalink
Post by john heasley
The others are correct, there is no attribution and no way to be certain of
it without tacacs (or radius?) login and command accounting.
Command accounting is not available with RADIUS (on Cisco at least).

Jeff
Jayaraj, Chandrasekaran
2007-06-26 05:01:20 UTC
Permalink
Hi All ,

Thanks for all your inputs .It was an eye opener for me . I will have to
make this work with my current cisco tacacs configuration that I have .

But still I see a good amount of information using the GUI on what has
changed.

By the way can anyone say what are these lines (sample of my diff
output)

Index: configs/10.132.17.66
===================================================================
retrieving revision 1.7
diff -U4 -r1.7 10.132.17.66
@@ -498,9 +498,9 @@ - I don't understand what this line means
no ip address - Also it always shows these 3 lines.
no ip route-cache
shutdown
!
- ip http server
+ no ip http server
!
ip access-list extended Core_marking_AF12_Admin
permit tcp any any eq smtp
permit tcp any eq smtp any

While actually what I changed on the switch was the lines after the +
sign .

Anyone have a document on how to understand this output ? ( I am aware
of the cvs-web and its cool but I would to like this to explain this
thing to my managers who will see this email stuff only )

warm regards,
------------------------------------------------------------------------
-----
Chandrasekaran J

------------------------------------------------------------------------
-----
-----Original Message-----
From: john heasley [mailto:***@shrubbery.net]
Sent: Monday, June 25, 2007 10:59 PM
To: Jayaraj, Chandrasekaran
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] Re: Need to know if mutiple usernames can be set
in the.clogin file
Post by Jayaraj, Chandrasekaran
Hi ,
Thanks for the swift response . We do have cisco tacacs installed
using
Post by Jayaraj, Chandrasekaran
ACS.
Even when we have that there may be multiple users who will be a part
of
Post by Jayaraj, Chandrasekaran
the authentication group who will actually have level 15 access .
So say for eg we have a group called noc-users and there are 3 users
namely user1 ,user2 ,user3 who will have privilege 15 access .
But currently my cloginrc file has the entry in below format
add user * user1 and
add password * testpwd enabletestpwd
So how can I check if I login as a user2 and do some change ?
each user has their own HOME and $HOME/.cloginrc.
Post by Jayaraj, Chandrasekaran
Currently all I get from rancid is that a diff output mail with the
difference and no mention of the username doing the change .
The others are correct, there is no attribution and no way to be certain
of
it without tacacs (or radius?) login and command accounting. You can
further
associate specific changes with rancid by using SEC; see the rancid FAQ,
section 3 question 5. With the time from the accounting logs, you can
approximately determine the user; approximate because multiple change
could
occur in the time taken for the collection.
This email is confidential. If you are not the addressee tell the sender immediately and destroy this email
without using, sending or storing it. Emails are not secure and may suffer errors, viruses, delay,
interception and amendment. Standard Chartered PLC and subsidiaries ("SCGroup") do not accept liability for
damage caused by this email and may monitor email traffic.
Justin Shore
2007-06-26 11:59:27 UTC
Permalink
The output is pretty basic. The first couple of lines are CVS output
lines that pertain to the filename in the repository and what revisions
are being diffed to generate the overall output. I'm not exactly sure
what the next line is (I'm not a CVS buff) but it's essentially telling
you what line in the file the snippet of diff output came from or
something along those lines. You can just ignore those lines. The real
meat of the diff is the +/- lines. As you can tell "ip http server" was
removed from the file (note the "-") and "no ip http server" was added
to the config (note the "+"). Everything else around the +/- lines are
there for context essentially, so you can see in the file where the
changes have been made. Try adding a 20 line ACL and rerun rancid-run.
Then make a few changes in the middle of the ACL. You'll see how it
works pretty quickly. It will be evident once you start using it.

Justin
Post by Jayaraj, Chandrasekaran
Hi All ,
Thanks for all your inputs .It was an eye opener for me . I will have to
make this work with my current cisco tacacs configuration that I have .
But still I see a good amount of information using the GUI on what has
changed.
By the way can anyone say what are these lines (sample of my diff
output)
Index: configs/10.132.17.66
===================================================================
retrieving revision 1.7
diff -U4 -r1.7 10.132.17.66
@@ -498,9 +498,9 @@ - I don't understand what this line means
no ip address - Also it always shows these 3 lines.
no ip route-cache
shutdown
!
- ip http server
+ no ip http server
!
ip access-list extended Core_marking_AF12_Admin
permit tcp any any eq smtp
permit tcp any eq smtp any
While actually what I changed on the switch was the lines after the +
sign .
Anyone have a document on how to understand this output ? ( I am aware
of the cvs-web and its cool but I would to like this to explain this
thing to my managers who will see this email stuff only )
warm regards,
------------------------------------------------------------------------
-----
Chandrasekaran J
------------------------------------------------------------------------
-----
-----Original Message-----
Sent: Monday, June 25, 2007 10:59 PM
To: Jayaraj, Chandrasekaran
Subject: Re: [rancid] Re: Need to know if mutiple usernames can be set
in the.clogin file
Post by Jayaraj, Chandrasekaran
Hi ,
Thanks for the swift response . We do have cisco tacacs installed
using
Post by Jayaraj, Chandrasekaran
ACS.
Even when we have that there may be multiple users who will be a part
of
Post by Jayaraj, Chandrasekaran
the authentication group who will actually have level 15 access .
So say for eg we have a group called noc-users and there are 3 users
namely user1 ,user2 ,user3 who will have privilege 15 access .
But currently my cloginrc file has the entry in below format
add user * user1 and
add password * testpwd enabletestpwd
So how can I check if I login as a user2 and do some change ?
each user has their own HOME and $HOME/.cloginrc.
Post by Jayaraj, Chandrasekaran
Currently all I get from rancid is that a diff output mail with the
difference and no mention of the username doing the change .
The others are correct, there is no attribution and no way to be certain
of
it without tacacs (or radius?) login and command accounting. You can
further
associate specific changes with rancid by using SEC; see the rancid FAQ,
section 3 question 5. With the time from the accounting logs, you can
approximately determine the user; approximate because multiple change
could
occur in the time taken for the collection.
This email is confidential. If you are not the addressee tell the sender immediately and destroy this email
without using, sending or storing it. Emails are not secure and may suffer errors, viruses, delay,
interception and amendment. Standard Chartered PLC and subsidiaries ("SCGroup") do not accept liability for
damage caused by this email and may monitor email traffic.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Loading...