integration of security enhancement patch

Erik Wenzel erik at code.de
Mon Jan 5 10:20:40 UTC 2004 

On Fri, Jan 02, 2004 at 01:34:56PM -0500, Joshua Wright wrote:
[...] 
> Why wouldn't you just grant a similar AAA configuration entry for
> "show running-config" for privilege 2 (or whatever privilege level you
> assign this user)?
Did you tried that, ever? Because even if I grant access to "show
running-config" you will get an answer with some comments and nothing
else. Not a single configuration line. I tested that without enabling
"aaa new-model". So there is no alternative in using "show
startup-config"
 
> Changing RANCID to perform "show startup-config" instead of a running
> configuration is "a bad idea" (tm).  If an attacker were able to
> compromise your router and make changes to the configuration, RANCID
> in its current state will identify the changes and let you know about
> it.  If RANCID used "show startup-config" instead, you would be
> unaware of the changes until they were saved.  The running
> configuration is a better reflection of the state of the router.
Using Rancid to check if an attacker is compromising your routers is
only possible if only one person is having write access. If you have
a colleague you are not able to distinguish configuration changes coming
from your colleague or an attacker. So, using RANCID for that purpose is
one thing. On the other Hand is the purpose of having backups for desaster
recovery and for that I can't see a reason to prefer one of the other.
In a production environment I concider it "a bad idea (TM)" to have a
difference between both configurations.

> Also, consider the case when someone makes a change to the router and
> doesn't save the configuration changes.  Next time the router reboots,
> something breaks because the configuration change was lost.  With
> RANCID monitoring the running configuration file, it would alert you
> when the router came back online since the new running configuration
> reflects the previously saved startup config file.
So you blame "someone" for not saving the configuration. In that case,
you see the big backdraw on not saving the running-config. You can't do
a simple reboot. That "is bad style (TM)", generally. That's an argument
pro saving "startup-config".

-- 
erik at code.de

"I am not a Geek! I shower."

More information about the Rancid-discuss mailing list