Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!
Gerard Roy

How can I give PCI auditors READ ONLY access to see running config?

Cisco has limited the show running-config to level 15 only so I am screwed there. Is there another way?


No worries. Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels. So suppose you want to create a PCI user who can log in to the router and view the running configuration (as well as anything else at level 1).

router(config)# user PCI privilege 2 password audit.

router(config)# privilege exec level 2 show running-config

Refer this for more detail:

Privilege level 2 will allow you to run the running-config but the output will be empty.

The link you provided does talk about a way of allowing someone to view the configuration but the privilege must be 15.

The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session will run at the privilege level specified by the privilege command. For example if you want your technical support staff to view the configuration on a networking device to help them troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically. The user's session will be logged out automatically after the user has viewed the last line of the configuration.



Thanks Edison for correcting. I lost in my own answer :)

Collin Clark

Isn't granting auditors access to devices a security risk? We're audited to DISA standards and our auditors have never asked for direct access. We provide them timestamped configs and if they want to see it real-time, we login and they can review it.

i agree with collin on this one. i've never had an auditor ask for access to a device. someone needs to audit the auditors.

I have to agree as well. What really burns me up on the whole PCI scam is that the same bankers that bankrupted the country are all of a sudden concerned that no one else besides them has an opportunity to steal. The CC companies need to die a merciless death.

Ahhh PCI, enough said. Auditors w/o a clue. I have a couple of banks as customers and I cringe every time there is an audit. I find it easier to explain to a 3 year old the operation of STP than explain to an auditor how wireless can be secure.


Print it out and make them analyze it manually :) All they typically do is run it through nipper anyway.

Why bother? PCI auditors can't read. :)