Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I give PCI auditors READ ONLY access to see running config?

Cisco has limited the show running-config to level 15 only so I am screwed there. Is there another way?

9 REPLIES
Bronze

Re: How can I give PCI auditors READ ONLY access to see running

No worries. Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels. So suppose you want to create a PCI user who can log in to the router and view the running configuration (as well as anything else at level 1).

router(config)# user PCI privilege 2 password audit.

router(config)# privilege exec level 2 show running-config

Refer this for more detail:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli_support_TSD_Island_of_Content_Chapter.html#wp1049664

Hall of Fame Super Bronze

Re: How can I give PCI auditors READ ONLY access to see running

Privilege level 2 will allow you to run the running-config but the output will be empty.

The link you provided does talk about a way of allowing someone to view the configuration but the privilege must be 15.

The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session will run at the privilege level specified by the privilege command. For example if you want your technical support staff to view the configuration on a networking device to help them troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically. The user's session will be logged out automatically after the user has viewed the last line of the configuration.

__

Edison.

Bronze

Re: How can I give PCI auditors READ ONLY access to see running

Thanks Edison for correcting. I lost in my own answer :)

Re: How can I give PCI auditors READ ONLY access to see running

Isn't granting auditors access to devices a security risk? We're audited to DISA standards and our auditors have never asked for direct access. We provide them timestamped configs and if they want to see it real-time, we login and they can review it.

Gold

Re: How can I give PCI auditors READ ONLY access to see running

i agree with collin on this one. i've never had an auditor ask for access to a device. someone needs to audit the auditors.

New Member

Re: How can I give PCI auditors READ ONLY access to see running

I have to agree as well. What really burns me up on the whole PCI scam is that the same bankers that bankrupted the country are all of a sudden concerned that no one else besides them has an opportunity to steal. The CC companies need to die a merciless death.

Re: How can I give PCI auditors READ ONLY access to see running

Ahhh PCI, enough said. Auditors w/o a clue. I have a couple of banks as customers and I cringe every time there is an audit. I find it easier to explain to a 3 year old the operation of STP than explain to an auditor how wireless can be secure.

Re: How can I give PCI auditors READ ONLY access to see running

Print it out and make them analyze it manually :) All they typically do is run it through nipper anyway.

Hall of Fame Super Gold

Re: How can I give PCI auditors READ ONLY access to see running

Why bother? PCI auditors can't read. :)

498
Views
0
Helpful
9
Replies