[rancid] Securing RANCID installation
howie at thingy.com
Tue Dec 16 15:10:32 UTC 2014
On 16/12/2014 14:43, Jason Humes wrote:
> Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc.
> Thanks for any advice! :)
Don't tell anyone the account password who you don't trust! :-)
Seriously, it's a bunch of scripts that run as a single non-privileged
user, producing files owned by that user. Run everything as a dedicated
'rancid' user, and basic Unix file permissions will take care of that.
Your most likely information leak is the diff e-mails.
If you have a web UI for it, that's a whole different story, but that's
not really part of RANCID either. We use mod_authnz_ldap against our AD,
mod_python, mod_ssl and viewvc pointed to the RANCID svn files, and that
seems to work well enough - you need to modify the group permissions for
the svn files so that a group that apache and rancid both belong to can
read them. Using AD (or individual htpasswd accounts) means we get audit
logs of who accessed what in the webserver access logs.
More information about the Rancid-discuss