[CentOS] OT: Managing change control in servers, LDAP, firewalls and switches question

Fri Jan 23 17:16:43 UTC 2009
Les Mikesell <lesmikesell at gmail.com>

Erick Perez wrote:
> Hi, being an off-topic questions with so many vendors involved I had
> no definitive place to go to ask but here. So maybe some of the list
> members have ideas in mind.
> 
> Currently we manage several switches,firewalls and MS LDAP and Centos
> OpenLDAP installations.
> We are looking for a "man in the middle" or "framework" to manage
> change on our network devices and LDAP-based servers.
> So far, using Quest ActiveRoles/Intrust has filled the part of LDAP,
> where administrators log into ActiveRoles/Intrust system, generate
> changes (delete OU, users, change passwords, etc) then the request has
> to be approved by a staff member in Activeroles/intrust. When the
> approval is sent to the system, the ActiveRoles/Intrust (and not the
> sysadmin) logs into the LDAP systems and perform the changes. This has
> proven useful in tracking changes (who did what, when, who approved
> it).
> We are looking into a similar solution (Quest Software does not have
> that for devices) to perform change and control on the routers,
> switches and firewalls.

There was a tool called pancho (http://www.pancho.org/) that claimed to 
to do automated router and switch management, but it seems to no longer 
be supported, and personally, I'd trust a person more than a script with 
that sort of job.  On the other hand, maintaining backup copies of 
configurations before/after changes is something very worthwhile and not 
difficult for anything that has text based configurations.  Just make 
sure that changes are copied back and committed to a central version 
control system like cvs or svn (which you can wrap with viewvc for easy 
display of history and changes).  A tool called rancid 
(http://www.shrubbery.net/rancid/) will automate this for many routers, 
switches and firewalls, and will also pick up any unexpected changes.

-- 
   Les Mikesell
    lesmikesell at gmail.com