[j-nsp] Supporting Audit Requirements in JUNOS

Eric Van Tol eric at atlantech.net
Wed Jul 23 09:50:18 EDT 2008


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Jose Madrid
> Sent: Wednesday, July 23, 2008 9:32 AM
> To: Stefan Fouant
> Cc: Juniper-Nsp
> Subject: Re: [j-nsp] Supporting Audit Requirements in JUNOS
>
> Going back to Christian's point, Rancid doesn't know who made the
> changes and if there are multiple changes between rancid run-times,
> it
> will pick up various changes and not just the one in particular.  I
> currently use a mixture of rancid and logs from devices to see who
> logged in at a time nearest when the change was picked up.  This is
> less than ideal solution, but all we currently have.

Using a configuration management application like Solarwinds Cirrus to push the changes out might accomplish what you need.  You can make changes to the configuration on the server and add comments to the particular job.  In addition, if changes are made to a device that supports configuration change traps, you can configure Cirrus to listen for the trap and immediately download the configuration of the device, thereby picking up on those changes made in between scheduled downloads.

If you want to go the open-source route, I am sure that a similar type of change notification can be implemented with Rancid and net-snmp through the use of some scripting.

That said, if you find a way to force a 'commit comment', please let everyone know.  I'd be interested in this as well.

-evt


More information about the juniper-nsp mailing list