Re: Subject : RE: ACL Monitoring
It's all done in CCR. It encrypts passwords (allowing you to have a few password groups, all WEB configurable), and uses passphrases + 3DES or public/private key encryption (or just you can enter logi and password from the web). idea is simple - operators have WEB access and know passphrase, but they have not cisco logins except if they granted direct cisco access, and they never have access on the server. Other approach could be 'snmp, but it works on a very few OS (IOS) only (do not work for PIX, for example). But you are correct - CCR have all this things, such as crypt / openssl; sudo to get access top the passphrase file from web cgi script, passphrase input for manual config downloads, webcvs fro history analyze, etc etc. Of course, tacacs+ accounting is necessary for full scale change monitoring. Unfortunately, even different Cico devices have different accounting rules (and very different access rules, counting PIX as most useless from this point of view - you must grant full access for 95% of operators tasks, even to monitor VPN associations -:)). > > > > If you anticipate doing a lot of this kind of monitoring in the future you > > may want to take a look at the "expect" programming language > > http://expect.nist.gov/ , which has very simple "send"/"expect" constructs. > > E.g. send "show acl 101/r" expect "access-list .." etc. Perl also allows > > similar although is probably not quite as easy to pick up if you've never > > done this kind of thing before. > > > > Essentially you'd write a quick script to telnet or ssh to the router "send" > > your commands, expect a result and do something based on that result. As I > > said, its worth the time investment and you'll find once you get the script > > done you can just reuse it for many other tasks. > > Kind of silly to state using an expect script or any other "script" for > that matter considering the assumption that, it seems he is not trusting > someone (as mentioned in another post), so I would take it that this > script would run from where? > > Not only that, you would go through hell configuring encrypting the > password on an expect script for the script to decrypt, then send. Now, > not only that, but then what? How would you configure it to monitor > something say in real time? You would likely have to use the diff and grep > commands for parsing, and a whole bunch of other things to get it to just > monitor a change, not a guarantee you will find out who changed it without > some major scripting as opposed to using accounting ala TACACS+ > > > > spawn ssh [EMAIL PROTECTED] > expect "Password: " > send "secret\r" > expect "something" > send "something\r" > expect $RESPONSE_FROM_ROUTER > spawn $WHAT_DO_YOU_SPAWN_TO_COPY_WHAT_YOU_SEE > > Expect would be worthless in my opinion. Why reinvent the "kick their > asses to accounting mode" wheel. > > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > GPG Key ID 0x0D99C05C > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C > > sil @ infiltrated . net http://www.infiltrated.net > > "How a man plays the game shows something of his > character - how he loses shows all" - Mr. Luckey
Re: ACL Monitoring
Used in CCR, and adapted for Cisco IOS Cisco Catos Pix OS Cisco VPN 3000 os Really nice thing. - Original Message - From: "Glynn Stanton" <[EMAIL PROTECTED]> To: Sent: Thursday, May 12, 2005 3:39 PM Subject: RE: ACL Monitoring > > > If you anticipate doing a lot of this kind of monitoring in the future you > may want to take a look at the "expect" programming language > http://expect.nist.gov/ , which has very simple "send"/"expect" constructs. > E.g. send "show acl 101/r" expect "access-list .." etc. Perl also allows > similar although is probably not quite as easy to pick up if you've never > done this kind of thing before. > > Essentially you'd write a quick script to telnet or ssh to the router "send" > your commands, expect a result and do something based on that result. As I > said, its worth the time investment and you'll find once you get the script > done you can just reuse it for many other tasks. > > The TACACS+ suggestion is also good.. Not only would it allow you to limit > who (authentication) can do what (authorization).. The accounting features > would also provide a log entry if an authorized user did do a no access-list > 101.. You could then write a shell script to parse the accounting log. > > Cheers, > Glynn > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim > McBurnett > Sent: Thursday, May 12, 2005 5:20 PM > To: Paul Ryan; nanog@merit.edu > Subject: RE: ACL Monitoring > > > Paul, > I think a better solution maybe to implement TACACS+ and resrict rights on > who can do that.. > Sounds like you don't trust someone. > I'd try that first... > > > Later, > Jim > > -Original Message- > From: Paul Ryan [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 12, 2005 5:15 PM > To: nanog@merit.edu > Subject: ACL Monitoring > Importance: High > > > > > All - I am looking for a solution (open source, scripts) to allow me to > monitor ACL's on Cisco routers. So if for example a line dissapears from > an ACL or the entire ACL is removed - I am alerted via pager/e-mail etc. > > regards, > > Paul R > >
Re: ACL Monitoring
Other is CCR (Cisco Configuration Repository), derived from here: snmpstat.sf.net - Original Message - From: "joshua sahala" <[EMAIL PROTECTED]> To: Sent: Thursday, May 12, 2005 2:16 PM Subject: Re: ACL Monitoring > > On (12/05/05 17:14), Paul Ryan wrote: > > All - I am looking for a solution (open source, scripts) to allow me to > > monitor ACL's on Cisco routers. So if for example a line dissapears from an > > ACL or the entire ACL is removed - I am alerted via pager/e-mail etc. > > http://www.shrubbery.net/rancid/ > > /joshua > -- >
Subject : RE: ACL Monitoring
On Thu, 12 May 2005, Glynn Stanton wrote: > > > If you anticipate doing a lot of this kind of monitoring in the future you > may want to take a look at the "expect" programming language > http://expect.nist.gov/ , which has very simple "send"/"expect" constructs. > E.g. send "show acl 101/r" expect "access-list .." etc. Perl also allows > similar although is probably not quite as easy to pick up if you've never > done this kind of thing before. > > Essentially you'd write a quick script to telnet or ssh to the router "send" > your commands, expect a result and do something based on that result. As I > said, its worth the time investment and you'll find once you get the script > done you can just reuse it for many other tasks. Kind of silly to state using an expect script or any other "script" for that matter considering the assumption that, it seems he is not trusting someone (as mentioned in another post), so I would take it that this script would run from where? Not only that, you would go through hell configuring encrypting the password on an expect script for the script to decrypt, then send. Now, not only that, but then what? How would you configure it to monitor something say in real time? You would likely have to use the diff and grep commands for parsing, and a whole bunch of other things to get it to just monitor a change, not a guarantee you will find out who changed it without some major scripting as opposed to using accounting ala TACACS+ spawn ssh [EMAIL PROTECTED] expect "Password: " send "secret\r" expect "something" send "something\r" expect $RESPONSE_FROM_ROUTER spawn $WHAT_DO_YOU_SPAWN_TO_COPY_WHAT_YOU_SEE Expect would be worthless in my opinion. Why reinvent the "kick their asses to accounting mode" wheel. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C sil @ infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
RE: ACL Monitoring
If you anticipate doing a lot of this kind of monitoring in the future you may want to take a look at the "expect" programming language http://expect.nist.gov/ , which has very simple "send"/"expect" constructs. E.g. send "show acl 101/r" expect "access-list .." etc. Perl also allows similar although is probably not quite as easy to pick up if you've never done this kind of thing before. Essentially you'd write a quick script to telnet or ssh to the router "send" your commands, expect a result and do something based on that result. As I said, its worth the time investment and you'll find once you get the script done you can just reuse it for many other tasks. The TACACS+ suggestion is also good.. Not only would it allow you to limit who (authentication) can do what (authorization).. The accounting features would also provide a log entry if an authorized user did do a no access-list 101.. You could then write a shell script to parse the accounting log. Cheers, Glynn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim McBurnett Sent: Thursday, May 12, 2005 5:20 PM To: Paul Ryan; nanog@merit.edu Subject: RE: ACL Monitoring Paul, I think a better solution maybe to implement TACACS+ and resrict rights on who can do that.. Sounds like you don't trust someone. I'd try that first... Later, Jim -Original Message- From: Paul Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 5:15 PM To: nanog@merit.edu Subject: ACL Monitoring Importance: High All - I am looking for a solution (open source, scripts) to allow me to monitor ACL's on Cisco routers. So if for example a line dissapears from an ACL or the entire ACL is removed - I am alerted via pager/e-mail etc. regards, Paul R
Re: ACL Monitoring
On Thu, 12 May 2005, Paul Ryan wrote: > All - I am looking for a solution (open source, scripts) to allow me to > monitor ACL's on Cisco routers. So if for example a line dissapears from an > ACL or the entire ACL is removed - I am alerted via pager/e-mail etc. rancid or 'rat' (router auditting tool) www.shrubbery.net - rancid http://www.cisecurity.org/bench_cisco.html - rat
RE: ACL Monitoring
Paul, I think a better solution maybe to implement TACACS+ and resrict rights on who can do that.. Sounds like you don't trust someone. I'd try that first... Later, Jim -Original Message- From: Paul Ryan [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 5:15 PM To: nanog@merit.edu Subject: ACL Monitoring Importance: High All - I am looking for a solution (open source, scripts) to allow me to monitor ACL's on Cisco routers. So if for example a line dissapears from an ACL or the entire ACL is removed - I am alerted via pager/e-mail etc. regards, Paul R
Re: ACL Monitoring
On (12/05/05 17:14), Paul Ryan wrote: > All - I am looking for a solution (open source, scripts) to allow me to > monitor ACL's on Cisco routers. So if for example a line dissapears from an > ACL or the entire ACL is removed - I am alerted via pager/e-mail etc. http://www.shrubbery.net/rancid/ /joshua --