Just a general question really; I have attempted to Google it & look through these forums but coun't see anything - not sure if its my poor wording of the search term??
I have created a baseline template to run compliancy checks, I understand that lines beginning with a + are mandatory and lines begining with a - should not be on the router. What I need to know is, is there a catch all for any other commands on the router config (startup or running) but not mentioned in the baseline?
For example, lets say this is my baseline:
+ service timestamps debug datetime msec
+ service timestamps log datetime msec
+ service password-encryption
+ hostname [hostname]
The router comes back as compliant as it has all the above lines. However there is obviously more config on the router, but this doesn't show? So I know I can get commands that are in the baseline but not on the router; but what about the other way round - on the router but not on the baseline? Surely this exists - at the least from a security point of view, an attacker could well have configured the Dot11Radio int, however without entering the command with the minus prefix I can't tell?
I'm on LMS 2.6 by the way - I know, blast from the past
Sorry to bump this, but has no one ever come across this before? Is it as simple as being a limitation of Cisco Works - i.e. you can see what part of the baseline is on the router, but you can't see the remaining config on the router??