08-26-2009 11:51 AM - edited 03-06-2019 07:26 AM
Cisco has limited the show running-config to level 15 only so I am screwed there. Is there another way?
08-26-2009 12:20 PM
No worries. Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels. So suppose you want to create a PCI user who can log in to the router and view the running configuration (as well as anything else at level 1).
router(config)# user PCI privilege 2 password audit.
router(config)# privilege exec level 2 show running-config
Refer this for more detail:
09-02-2009 06:53 AM
Privilege level 2 will allow you to run the running-config but the output will be empty.
The link you provided does talk about a way of allowing someone to view the configuration but the privilege must be 15.
The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session will run at the privilege level specified by the privilege command. For example if you want your technical support staff to view the configuration on a networking device to help them troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically. The user's session will be logged out automatically after the user has viewed the last line of the configuration.
__
Edison.
09-03-2009 09:44 AM
Thanks Edison for correcting. I lost in my own answer :)
09-02-2009 07:35 AM
Isn't granting auditors access to devices a security risk? We're audited to DISA standards and our auditors have never asked for direct access. We provide them timestamped configs and if they want to see it real-time, we login and they can review it.
09-02-2009 08:43 AM
i agree with collin on this one. i've never had an auditor ask for access to a device. someone needs to audit the auditors.
09-02-2009 08:59 AM
I have to agree as well. What really burns me up on the whole PCI scam is that the same bankers that bankrupted the country are all of a sudden concerned that no one else besides them has an opportunity to steal. The CC companies need to die a merciless death.
09-02-2009 09:02 AM
Ahhh PCI, enough said. Auditors w/o a clue. I have a couple of banks as customers and I cringe every time there is an audit. I find it easier to explain to a 3 year old the operation of STP than explain to an auditor how wireless can be secure.
09-08-2009 06:49 PM
Print it out and make them analyze it manually :) All they typically do is run it through nipper anyway.
09-08-2009 09:33 PM
Why bother? PCI auditors can't read. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide