[c-nsp] Rancid use without level 15 access?
Ryan West
rwest at zyedge.com
Fri Jul 6 12:15:00 EDT 2012
On Fri, Jul 06, 2012 at 12:06:54, Alan Buxey wrote:
> Subject: Re: [c-nsp] Rancid use without level 15 access?
>
> We use TACACS+ (shrubbery) to give the rancid user the rights to only
> the commands it needs. As for silently failing, you can eg run the
> login command and scripts manually (it was through checking those
> scripts we knew what commands to allow)
>
When RANCID can't access a device for some reason, then you usually end up with silent fails. Failing on commands, from my experience, is pretty easy to find in $install_path/var/log.
The commands are all listed in the commandtable, in a Cisco environment, that would include bin/rancid and bin/nxrancid. Most devices are covered under bin/rancid.
@commandtable = (
{'show version' => 'ShowVersion'},
{'show redundancy secondary' => 'ShowRedundancy'},
{'show idprom backplane', => 'ShowIDprom'},
{'show install active' => 'ShowInstallActive'},
{'show env all' => 'ShowEnv'},
{'show rsp chassis-info', => 'ShowRSP'},
{'show gsr chassis' => 'ShowGSR'},
{'show diag chassis-info' => 'ShowGSR'},
{'show boot' => 'ShowBoot'},
{'show bootvar' => 'ShowBoot'},
{'show variables boot' => 'ShowBoot'},
{'show flash' => 'ShowFlash'},
{'dir /all nvram:' => 'DirSlotN'},
{'dir /all bootflash:' => 'DirSlotN'},
{'dir /all slot0:' => 'DirSlotN'},
{'dir /all disk0:' => 'DirSlotN'},
{'dir /all slot1:' => 'DirSlotN'},
{'dir /all disk1:' => 'DirSlotN'},
{'dir /all slot2:' => 'DirSlotN'},
{'dir /all disk2:' => 'DirSlotN'},
{'dir /all harddisk:' => 'DirSlotN'},
{'dir /all harddiska:' => 'DirSlotN'},
{'dir /all harddiskb:' => 'DirSlotN'},
{'dir /all sup-bootdisk:' => 'DirSlotN'}, # 6500 sup32
{'dir /all sup-bootflash:' => 'DirSlotN'}, # cat 6500-ios
{'dir /all sup-microcode:' => 'DirSlotN'}, # cat 6500-ios
{'dir /all slavenvram:' => 'DirSlotN'},
{'dir /all slavebootflash:' => 'DirSlotN'},
{'dir /all slaveslot0:' => 'DirSlotN'},
{'dir /all slavedisk0:' => 'DirSlotN'},
{'dir /all slaveslot1:' => 'DirSlotN'},
{'dir /all slavedisk1:' => 'DirSlotN'},
{'dir /all slaveslot2:' => 'DirSlotN'},
{'dir /all slavedisk2:' => 'DirSlotN'},
{'dir /all slavesup-bootflash:' => 'DirSlotN'}, # cat 7609
{'dir /all sec-nvram:' => 'DirSlotN'},
{'dir /all sec-bootflash:' => 'DirSlotN'},
{'dir /all sec-slot0:' => 'DirSlotN'},
{'dir /all sec-disk0:' => 'DirSlotN'},
{'dir /all sec-slot1:' => 'DirSlotN'},
{'dir /all sec-disk1:' => 'DirSlotN'},
{'dir /all sec-slot2:' => 'DirSlotN'},
{'dir /all sec-disk2:' => 'DirSlotN'},
{'show controllers' => 'ShowContAll'},
{'show controllers cbus' => 'ShowContCbus'},
{'show diagbus' => 'ShowDiagbus'},
{'show diag' => 'ShowDiag'},
{'show capture' => 'ShowCapture'}, # ASA/PIX
{'show module' => 'ShowModule'}, # cat 6500-ios
{'show spe version' => 'ShowSpeVersion'},
{'show c7200' => 'ShowC7200'},
{'show inventory raw' => 'ShowInventory'},
{'show vtp status' => 'ShowVTP'},
{'show vlan' => 'ShowVLAN'},
{'show vlan-switch' => 'ShowVLAN'},
{'show debug' => 'ShowDebug'},
{'show cdp neighbor detail' => 'ShowCDPDetail'},
{'show shun' => 'ShowShun'}, # ASA/PIX
{'more system:running-config' => 'WriteTerm'}, # ASA/PIX
{'show running-config view full'=> 'WriteTerm'}, # workaround for
{'show running-config' => 'WriteTerm'},
{'write term' => 'WriteTerm'},
);
-ryan
More information about the cisco-nsp
mailing list