[CentOS] OT: Managing change control in servers, LDAP, firewalls and switches question
rswwalker at gmail.com
Fri Jan 23 16:30:49 UTC 2009
On Fri, Jan 23, 2009 at 10:32 AM, Erick Perez <eaperezh at gmail.com> wrote:
> Hi, being an off-topic questions with so many vendors involved I had
> no definitive place to go to ask but here. So maybe some of the list
> members have ideas in mind.
> Currently we manage several switches,firewalls and MS LDAP and Centos
> OpenLDAP installations.
> We are looking for a "man in the middle" or "framework" to manage
> change on our network devices and LDAP-based servers.
> So far, using Quest ActiveRoles/Intrust has filled the part of LDAP,
> where administrators log into ActiveRoles/Intrust system, generate
> changes (delete OU, users, change passwords, etc) then the request has
> to be approved by a staff member in Activeroles/intrust. When the
> approval is sent to the system, the ActiveRoles/Intrust (and not the
> sysadmin) logs into the LDAP systems and perform the changes. This has
> proven useful in tracking changes (who did what, when, who approved
> We are looking into a similar solution (Quest Software does not have
> that for devices) to perform change and control on the routers,
> switches and firewalls.
> Maybe someone can also point me to a mailing list where i can ask the
> same question?
Most people do change management through trust, but verify, where change
requests are submitted, approved, then an administrator implements by hand,
and then replies that it was done successfully or not and what the failure was.
Then at some point, these changes are verified by someone else and confirmed
to been in place.
You could try to automate the verification process by using IDS software to log
all the environment changes, then match those up with change requests. Any
that happen without a change request were unauthorized and need to be rolled
This way you get 2 birds with 1 stone, change management verification and
intrusion detection. Couple that with a good backup/restore strategy and you
should have the major bases covered.
More information about the CentOS