05-16-2003 11:25 AM - edited 03-02-2019 07:24 AM
An entry appeared in the change audit report with this parameters:
Device name: 20.23.40.2
User name= unknown
Application name= Configuration Archive
Host name= CWKS2K
Creation time= 16 May 2003 02:34:08 CDT
Connection mode= snmp
Category= Config
Message= Scheduled Update
This are the facts:
The details of the entry show an actual config change.
This is from a recent CW2K installation.
The ones who have the cwks password didn't make the change.
The change to the device config was made apparently by telnet by a network operator, but it is reported as made by snmp and from the server (CWKS2K)
Any ideas? is this entry incorrect? is this an indication of a password compromise? is this a normal entry of another procedure who could have changed the config? (we did not scheduled one)
05-16-2003 01:51 PM
Was a config change made to this device?. If under Change Probe Setup, Syslog and/or Config Retrieval Schedule are checked then this would trigger an automatic config fetch by CW2K
05-16-2003 02:03 PM
Yeah, the fact that the entry appeared in the change audit report was because a config retrieval was scheduled... what is making me wonder is the fact that the report indicates that a configuration change was made from the server via snmp at midnight, but we didnt scheduled any config from the cwks, which apparently leaves us with two options:
- Our password was compromised and the config was made from within cwks (not likely)
- The config change was made by other medium and the audit change reported it incorrectly (because the report says the config was made FROM the server).
Am I wrong with this or are there any other options?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: