[c-nsp] PIX/ASA Change Control

Justin Shore justin at justinshore.com
Fri Jun 26 01:17:40 EDT 2009 

Like Ryan said, clogin takes care of it.  The only problem I've run into 
is with v8.2 of the ASA code.  Some nimrod programmer thought it would 
be a good idea to store config related to the new core dump option in 
v8.2 in a text file on the flash volume.  The programmer also decided to 
update this file every time 'sh run' is executed.  So every time RANCID 
would run against at v8.2 ASA it would execute 'sh run' (write term 
actually) which would cause the text file to be regenrated (though 
nothing in the file changed) with a new timestamp; then when RANCID 
extracted the contents of 'dir all' it would alert you that a timestamp 
had changed on a file on the flash volume.  Genius!  I worked with TAC 
to get that identified as a bug.  Earlier this week my TAC engineer 
posted a interim release that is supposed to fix the issue.  I haven't 
had a chance to apply it just yet.  If anyone wants the BugID so you can 
request the fixed image from TAC let me know; it hasn't been rolled into 
a publicly-accessible interim release yet.

Other than that RANCID is fantastic.  I unleash RANCID on my equipment 
once an hour.  In a way it's also like a TripWire check for my network 
devices.  If something changes that I know I didn't change then I have 
cause to investigate.  This actually led me to discover a compromised 
router about 3 years ago.  Someone set up a GRE tunnel out of a router 
I'd recently taken control over (but hadn't migrated AAA yet or hardened 
to my standards).  The tunnel hit a server in Korea.  They pointed 
several statics across the tunnel including some that covered Paypal and 
Amazon.  I'm assuming they were trying to steal credit card info.  I 
found the RANCID diff emails the next morning when I got to work and had 
the router cleaned up inside of an hour.  RANCID has been an absolute 
life saver for me several dozen times.

Justin


Ryan West wrote:
> It handles it fine.  This is basically all you have to do to get it work with ASA/PIXen:
> 
> add user customer-fw1             admin
> add password customer-fw1         mypassword    mypassword
> add autoenable customer-fw1       0
> add method customer-fw1           ssh telnet
> 
> We did a very minor tweak to allow netscreen's to be backed up and parsed as well and configured cvsweb to manage the diffs / revision control.
> 
> -ryan
> 
> -----Original Message-----
> From: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk] 
> Sent: Thursday, June 25, 2009 12:39 PM
> To: Sigurbjörn Birkir Lárusson
> Cc: Ryan West; William; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX/ASA Change Control
> 
> hi,
> 
> regarding RANCID and Cisco ASAs - are there common
> scripts etc for logging/scraping such devices as there
> are for cisco (clogin), foundry (flogin) etc

More information about the cisco-nsp mailing list