Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1073
Views
0
Helpful
9
Replies

How can I give PCI auditors READ ONLY access to see running config?

Gerard Roy
Level 2
Level 2

‎08-26-2009 11:51 AM - edited ‎03-06-2019 07:26 AM

Cisco has limited the show running-config to level 15 only so I am screwed there. Is there another way?

Labels:
0 Helpful
9 Replies 9

yagnesh_tel
Level 1
Level 1

‎08-26-2009 12:20 PM

No worries. Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels. So suppose you want to create a PCI user who can log in to the router and view the running configuration (as well as anything else at level 1).

router(config)# user PCI privilege 2 password audit.

router(config)# privilege exec level 2 show running-config

Refer this for more detail:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli_support_TSD_Island_of_Content_Chapter.html#wp1049664

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to yagnesh_tel

‎09-02-2009 06:53 AM

Privilege level 2 will allow you to run the running-config but the output will be empty.

The link you provided does talk about a way of allowing someone to view the configuration but the privilege must be 15.

The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session will run at the privilege level specified by the privilege command. For example if you want your technical support staff to view the configuration on a networking device to help them troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically. The user's session will be logged out automatically after the user has viewed the last line of the configuration.

__

Edison.

0 Helpful

yagnesh_tel
Level 1
Level 1
In response to Edison Ortiz

‎09-03-2009 09:44 AM

Thanks Edison for correcting. I lost in my own answer :)

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎09-02-2009 07:35 AM

Isn't granting auditors access to devices a security risk? We're audited to DISA standards and our auditors have never asked for direct access. We provide them timestamped configs and if they want to see it real-time, we login and they can review it.

0 Helpful

srue
Level 7
Level 7
In response to Collin Clark

‎09-02-2009 08:43 AM

i agree with collin on this one. i've never had an auditor ask for access to a device. someone needs to audit the auditors.

0 Helpful

Gerard Roy
Level 2
Level 2
In response to srue

‎09-02-2009 08:59 AM

I have to agree as well. What really burns me up on the whole PCI scam is that the same bankers that bankrupted the country are all of a sudden concerned that no one else besides them has an opportunity to steal. The CC companies need to die a merciless death.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Gerard Roy

‎09-02-2009 09:02 AM

Ahhh PCI, enough said. Auditors w/o a clue. I have a couple of banks as customers and I cringe every time there is an audit. I find it easier to explain to a 3 year old the operation of STP than explain to an auditor how wireless can be secure.

0 Helpful

pompeychimes
Level 4
Level 4

‎09-08-2009 06:49 PM

Print it out and make them analyze it manually :) All they typically do is run it through nipper anyway.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to pompeychimes

‎09-08-2009 09:33 PM

Why bother? PCI auditors can't read. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card