https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267748#M350162 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>What is the difference to what I am doing and what is stopping me from turning accounting off and making a malicious change then turning it back on so I dont get noticed?&nbsp; </P></BODY></HTML> Thu, 09 May 2013 17:58:31 GMT Andy White 2013-05-09T17:58:31Z https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267746#M350159 <P>Hello,</P><P></P><P>I log everything from my ASAs to a syslog server, so when I make any changes there is an audit trail of what I have been doing, however my boss said what is stopping you turning off the logging and doing something malicious and then turning the logging back on?&nbsp; </P><P></P><P>Firstly if I turn off or on logging can it send a syslog message?</P><P></P><P>Secondly is there any software out there that can help?</P><P></P><P>Thanks</P> Tue, 12 Mar 2019 01:41:11 GMT https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267746#M350159 Andy White 2019-03-12T01:41:11Z https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267747#M350161 <HTML><HEAD></HEAD><BODY><P>Hello Andy,</P><P></P><P>Why dont you use AAA accounting and you can audit all of the commands you enter while being logged into the ASA, you can then export them to a syslog server to analize them,</P><P></P><P>That would be a great way to do it, don't you think?</P><P></P><P>Regards,</P><P></P><P>Julio Carvajal </P></BODY></HTML> Thu, 09 May 2013 16:53:00 GMT https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267747#M350161 Julio Carvajal 2013-05-09T16:53:00Z https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267748#M350162 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>What is the difference to what I am doing and what is stopping me from turning accounting off and making a malicious change then turning it back on so I dont get noticed?&nbsp; </P></BODY></HTML> Thu, 09 May 2013 17:58:31 GMT https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267748#M350162 Andy White 2013-05-09T17:58:31Z https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267749#M350163 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>for me, it looks like what would stop an admin from turning off logging/accounting is leveraging those two commands to some higher privilege level (command authorization) which only the boss can have. say level 14 can execute all commands except disabling logging (or aaa accounting), and disabling aaa command authorization,&nbsp; which will&nbsp; be available only for level 15. </P><P>An admin should have level 14, and a boss should have level 15.</P><P></P><P>If the question now turns into: "what is stopping a boss turning off the logging and doing something malicious ?", then i believe it would be an issue of trust and ethics.</P><P></P><P>Hope this helps </P><P>------------------ <BR />Mashal Alshboul</P></BODY></HTML> Thu, 09 May 2013 18:57:27 GMT https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267749#M350163 malshbou 2013-05-09T18:57:27Z https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267750#M350164 <HTML><HEAD></HEAD><BODY><P>Hello Andy,</P><P></P><P>When I set aaa accounting it mean that you were going to run authentication and then you could use the AAA framework for the extra-work.</P><P></P><P>Setting a shell profile policy stating that you are allow to set any command except&nbsp; the ones that stop the logging stuff and the aaa accounting stop,</P><P></P><P>I mean you have it all within the AAA framework........</P><P></P><P></P><P>Regards,</P></BODY></HTML> Thu, 09 May 2013 19:09:05 GMT https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267750#M350164 Julio Carvajal 2013-05-09T19:09:05Z https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267751#M350165 <HTML><HEAD></HEAD><BODY><P>I agree with Mashal, this can be achieved using command authorization. You may use LOCAL or tacacs+.</P></BODY></HTML> Sat, 11 May 2013 21:03:02 GMT https://community.cisco.com/t5/network-security/auditing-the-admin-guy/m-p/2267751#M350165 Jatin Katyal 2013-05-11T21:03:02Z