[j-nsp] Supporting Audit Requirements in JUNOS

Kevin Oberman oberman at es.net
Wed Jul 23 14:41:49 EDT 2008 

It makes reading the thread confusing!
Why not?
Please don't top post!

> Date: Wed, 23 Jul 2008 10:04:06 -0400
> From: "Stefan Fouant" <sfouant at gmail.com>
> Sender: juniper-nsp-bounces at puck.nether.net
> 
> Yep, we have RANCID, but that was precisely the problem - while I can
> certainly do a config diff and see the changes from baseline at audit
> time, it is impossible to see who made the changes and also which
> config change corresponds to which change request...
> 
> -- 
> Stefan Fouant
> Principal Network Engineer
> NeuStar, Inc. - http://www.neustar.biz
> GPG Key ID: 0xB5E3803D
> 
> On Wed, Jul 23, 2008 at 9:32 AM, Jose Madrid <jmadrid2 at gmail.com> wrote:
> > Going back to Christian's point, Rancid doesn't know who made the
> > changes and if there are multiple changes between rancid run-times, it
> > will pick up various changes and not just the one in particular.  I
> > currently use a mixture of rancid and logs from devices to see who
> > logged in at a time nearest when the change was picked up.  This is
> > less than ideal solution, but all we currently have.

I have modified rancid to record the name of the last committer (easy on
JunOS) and to run on demand (as well as periodically). That way a reason
for the commit as well as the committer can be logged.

N.B. It requires the person making the commit to issue a command on the
configuration management system after a commit. It's not automated. It
does send out "tickler" messages to all committers when it finds changes
that have not been logged and has a mode to log a reason for the missed
entry. 

A syslog monitor could trigger a note to the committer. I'll have to
think about doing that.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20080723/c85d7ffb/attachment.bin>

More information about the juniper-nsp mailing list