yagnesh_tel Wed, 08/26/2009 - 12:20
User Badges:
  • Silver, 250 points or more

No worries. Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels. So suppose you want to create a PCI user who can log in to the router and view the running configuration (as well as anything else at level 1).


router(config)# user PCI privilege 2 password audit.

router(config)# privilege exec level 2 show running-config


Refer this for more detail:


http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli_support_TSD_Island_of_Content_Chapter.html#wp1049664

Edison Ortiz Wed, 09/02/2009 - 06:53
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Privilege level 2 will allow you to run the running-config but the output will be empty.


The link you provided does talk about a way of allowing someone to view the configuration but the privilege must be 15.


The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session will run at the privilege level specified by the privilege command. For example if you want your technical support staff to view the configuration on a networking device to help them troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically. The user's session will be logged out automatically after the user has viewed the last line of the configuration.


__


Edison.

yagnesh_tel Thu, 09/03/2009 - 09:44
User Badges:
  • Silver, 250 points or more

Thanks Edison for correcting. I lost in my own answer :)

Collin Clark Wed, 09/02/2009 - 07:35
User Badges:
  • Purple, 4500 points or more

Isn't granting auditors access to devices a security risk? We're audited to DISA standards and our auditors have never asked for direct access. We provide them timestamped configs and if they want to see it real-time, we login and they can review it.

srue Wed, 09/02/2009 - 08:43
User Badges:
  • Blue, 1500 points or more

i agree with collin on this one. i've never had an auditor ask for access to a device. someone needs to audit the auditors.

Gerard Roy Wed, 09/02/2009 - 08:59
User Badges:

I have to agree as well. What really burns me up on the whole PCI scam is that the same bankers that bankrupted the country are all of a sudden concerned that no one else besides them has an opportunity to steal. The CC companies need to die a merciless death.

Collin Clark Wed, 09/02/2009 - 09:02
User Badges:
  • Purple, 4500 points or more

Ahhh PCI, enough said. Auditors w/o a clue. I have a couple of banks as customers and I cringe every time there is an audit. I find it easier to explain to a 3 year old the operation of STP than explain to an auditor how wireless can be secure.

pompeychimes Tue, 09/08/2009 - 18:49
User Badges:
  • Bronze, 100 points or more

Print it out and make them analyze it manually :) All they typically do is run it through nipper anyway.

Leo Laohoo Tue, 09/08/2009 - 21:33
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Why bother? PCI auditors can't read. :)

Actions

This Discussion