4.3 Configure Alerts on all Configuration Changes

Information

This is not easily implemented directly on the switch. Changes should ideally be backed up remotely, and a 'diff' process to highlight any changes in successive configurations is a good process to implement.

Rationale:

Change Control processes are ubiquitous in the industry. Especially with a text-based configuration such as most network devices have, it is easy to extract the exact changes from one version of the saved or running configuration to the next. This can then be correlated back to the change control process, to see:

Did any and all approved changes get executed?

Did any unapproved changes get executed?

Relating this back to the syslogs created by named user logins, did the change happen within the correct window?

Also relating back to the syslogs created by named user logins, did the correct person make the change? (see the AAA section, and named administrative users)

Is there a pattern of any one or more administrators making unapproved or outside of window changes?

Impact:

A formal change control process can manage conflicts in changes nicely, especially between disparate sections of the infrastructure. For instance, the situation where 'a server upgrade failed because the firewall changes interrupted the VPN session' is much less likely to occur if all changes are reviewed in advance.

In addition, changes made without planning tend to result in the 'testing in prod' scenario, ending up with a much higher ratio of service interruptions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This is not a process that typically runs on the switch, there is no on-switch remediation.

Default Value:

None.

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-3, CSCv7|11.3

Plugin: Cisco

Control ID: d00db8127b85ebcb34126a284544fc37f7770552ed1e7a259d042d4617302641