Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
5
Replies

Auditing the admin guy

Andy White
Level 3
Level 3

‎05-09-2013 09:33 AM - edited ‎03-11-2019 06:41 PM

Hello,

I log everything from my ASAs to a syslog server, so when I make any changes there is an audit trail of what I have been doing, however my boss said what is stopping you turning off the logging and doing something malicious and then turning the logging back on? 

Firstly if I turn off or on logging can it send a syslog message?

Secondly is there any software out there that can help?

Thanks

Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-09-2013 09:53 AM

Hello Andy,

Why dont you use AAA accounting and you can audit all of the commands you enter while being logged into the ASA, you can then export them to a syslog server to analize them,

That would be a great way to do it, don't you think?

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Andy White
Level 3
Level 3
In response to Julio Carvajal

‎05-09-2013 10:58 AM

Hi,

What is the difference to what I am doing and what is stopping me from turning accounting off and making a malicious change then turning it back on so I dont get noticed? 

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andy White

‎05-09-2013 12:09 PM

Hello Andy,

When I set aaa accounting it mean that you were going to run authentication and then you could use the AAA framework for the extra-work.

Setting a shell profile policy stating that you are allow to set any command except  the ones that stop the logging stuff and the aaa accounting stop,

I mean you have it all within the AAA framework........

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Julio Carvajal

‎05-11-2013 02:03 PM

I agree with Mashal, this can be achieved using command authorization. You may use LOCAL or tacacs+.

~Jatin
0 Helpful

malshbou
Level 1
Level 1

‎05-09-2013 11:57 AM

Hi,

for me, it looks like what would stop an admin from turning off logging/accounting is leveraging those two commands to some higher privilege level (command authorization) which only the boss can have. say level 14 can execute all commands except disabling logging (or aaa accounting), and disabling aaa command authorization,  which will  be available only for level 15.

An admin should have level 14, and a boss should have level 15.

If the question now turns into: "what is stopping a boss turning off the logging and doing something malicious ?", then i believe it would be an issue of trust and ethics.

Hope this helps

------------------
Mashal Alshboul

------------------ Mashal Shboul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card