I am think about AAA for this question, and may be anybody have working
scheme of this correlation?

-----Original Message-----
From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of john heasley
Sent: Tuesday, March 31, 2009 10:13 PM
To: Paul Buts
Cc: rancid-***@shrubbery.net
Subject: [rancid] Re: Who made changes?

Tue, Mar 31, 2009 at 07:16:43PM +0200, Paul Buts:
> Hi all,
>
> I installed Rancid in combination with FreeBSD CVSWeb on a Debian
server.
> Everything is working, great!
>
> There is only one thing I want to know: is it possible to show who
made the
> changes in telnet? At this moment the webpage is telling me that the
unix
> user (who runned Rancid) has made the changes. For example, I have
more
> telnet accounts. One for Paul and one for Peter. If Paul made one
change,
> and Peter made two changes, I want that the webpage is telling me
exactly
> who made a change.

correlated changes to AAA command accounting records, the only reliable
way.

On Tue, Mar 31, 2009 at 06:13:15PM +0000, john heasley wrote:
> correlated changes to AAA command accounting records, the only reliable way.

I'll add on more idea to this: proxy requests through a wrapper with authentication.

Even if you have kit that doesn't support / use AAA, force changes to go through a wrapper which logs access and keystrokes.

clogin provices a good starting point for this :)

--
Daniel Medina

K K wrote:
> 2009/3/31 Paul Buts <***@paulbuts.nl>:
>
>> There is only one thing I want to know: is it possible to show who made the
>> changes in telnet? At this moment the webpage is telling me that the unix
>> user (who runned Rancid) has made the changes. For example, I have more
>> telnet accounts. One for Paul and one for Peter. If Paul made one change,
>> and Peter made two changes, I want that the webpage is telling me exactly
>> who made a change.
>>
>> Any hints or keywords would be really appreciated. Thanks!
>>
>
> If Paul makes one change at noon, then Peter logs in at 4PM and makes
> two more, and then Rancid finally runs at 6PM, you'll get one change
> email, showing the sum of all changes and (usually) showing that Peter
> was the last one to make a change.
>
> One workaround to this is to enable SNMP traps and/or syslog on each
> device, and tie you trapper/syslogger into your rancid server.
>
If the device you are dealing with is a cisco router or switch, it
generates a trap when you do write mem. Set an action script for that
OID that triggers rancid. At home I built a concept setup where I do
this. Configure net-snmp's snmptrapd.conf so that for OID X it triggers
rancid-run. This will ensure you are 100% up to date on the backup. I
don't have access to my box now otherwise I could send you a sample
snmptrapd.conf.

Thanks,
sam
> I have mine configured such that syslog-ng writes all events related
> to Cisco configuration changes to a directory change-events, into
> files named for the source device and hour of the day. Then each hour
> a cron job executes, reads the list of these files, and runs Rancid
> against the specific devices found. At the end of the script, it
> deletes any file in change-events older than 20 hours.
>
> This still won't catch every change by every user. For that, at least
> on Cisco, you can enable per-command logging.
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-***@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>

Den 31. mars. 2009 kl. 20:07 skrev K K:

> 2009/3/31 Paul Buts <***@paulbuts.nl>:
>>
>> Any hints or keywords would be really appreciated. Thanks!
>
>
> I have mine configured such that syslog-ng writes all events related
> to Cisco configuration changes to a directory change-events, into
> files named for the source device and hour of the day. Then each hour
> a cron job executes, reads the list of these files, and runs Rancid
> against the specific devices found. At the end of the script, it
> deletes any file in change-events older than 20 hours.
>
> This still won't catch every change by every user. For that, at least
> on Cisco, you can enable per-command logging.

Hi!
Do you have any URL pointing to a similar setup? Looks like a perfect
match for my rancid-configuration.

-Åge

We utilize Rancid to do backups 1 time per night. Our NOC is pretty
good at not changing configurations but I understand the need. You can
modify the cron jobs to run every 1-5 minutes. We utilize Cisco ACS for
AAA and see every command with accounting enabled on the
switch/router/firewall etc from the reporting in ACS. We also configure
Archive configuration that sends the commands typed to a syslog & log
buffer just in case you have to troubleshoot you can go step by step
back to fix the problem. As for passwords, we utilize user accounts and
as they leave we disable their user account, depending on the type of
device.

Example Cisco Config for syslog

archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext
hidekeys
path disk0:/backup.cfg
maximum 14 (I think this triggers a backup on the configuration change
or a wr mem to the disk0:/backup.cfg)
!
Logging 10.10.10.10
!
Sh log
000282: Mar 13 11:07:06.621 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Brian
logged command:vlan 551
000283: Mar 13 11:07:09.853 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:Rod
logged command:name B6-EAC
000284: Mar 13 11:07:11.505 PDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:John
logged command:exit

Same thing populates our syslog server

Not sure if this will help you.
-----Original Message-----
From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Geert Jan de
Groot
Sent: Wednesday, April 01, 2009 2:42 PM
To: rancid-***@shrubbery.net
Subject: [rancid] Re: Who made changes?

On Tue, 31 Mar 2009 13:07:47 -0500 K K wrote:
> > There is only one thing I want to know: is it possible to show who
made the
> > changes in telnet?
> If Paul makes one change at noon, then Peter logs in at 4PM and makes
> two more, and then Rancid finally runs at 6PM, you'll get one change
> email, showing the sum of all changes and (usually) showing that Peter
> was the last one to make a change.

At the place where I hope to implement rancid (restrictions are
political, not technical, as usual), the network is set up
in such a way that operators do not have passwords of the devices
they manage. They log in (with their own password) in a subsystem
which, if allowed, will log in the operator automatically.

Advantage is that if persons leave the company, they don't know
passwords
and no passwords need to be changed.

Current line of thought is to have the logout event trigger a rancid run
on the device people just logged into.

Just another thought,

Geert Jan

_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

- ------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this transmission is legally privileged and confidential, intended only for the use of the individual(s) or entities named above. This email and any files transmitted with it are the property of Pelco. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you receive this communication in error, please notify us immediately by telephone call to +1-559-292-1981 or forward the e-mail to ***@pelco.com and then permanently delete the e-mail and destroy all soft and hard copies of the message and any attachments. Thank you for your cooperation.
- ------------------------------------------------------------------------------

Wed, Apr 01, 2009 at 11:42:11PM +0200, Geert Jan de Groot:
> On Tue, 31 Mar 2009 13:07:47 -0500 K K wrote:
> > > There is only one thing I want to know: is it possible to show who made the
> > > changes in telnet?
> > If Paul makes one change at noon, then Peter logs in at 4PM and makes
> > two more, and then Rancid finally runs at 6PM, you'll get one change
> > email, showing the sum of all changes and (usually) showing that Peter
> > was the last one to make a change.
>
> At the place where I hope to implement rancid (restrictions are
> political, not technical, as usual), the network is set up
> in such a way that operators do not have passwords of the devices
> they manage. They log in (with their own password) in a subsystem
> which, if allowed, will log in the operator automatically.
>
> Advantage is that if persons leave the company, they don't know passwords
> and no passwords need to be changed.

you can do that, at least for ciscos, with AAA and automate the change of
the in-configuration/failsafe passwords, since the "in-config" passwords
are only used when the AAA server is inaccessible.

> Current line of thought is to have the logout event trigger a rancid run
> on the device people just logged into.

folks have done that; I think I mentioned it in the FAQ