6.2.2 Ensure at least one SCP Archive Site is configured

Information

Configuration archival should use only secure transport over SCP.

Rationale:

Archiving the configuration to an external server creates a history of changes allowing an effective 'post mortem' to be carried out following any breach and aiding recovery to security and other incidents.

The archive can also be used to alert administrators of unauthorized changes and identify what was changed by utilizing hashes or diff in scripts or systems like Tripwire.

At least one Secure Copy (SCP) Archive Site should be configured on the router. No other transport methods should be used.

Solution

To enable a Secure Copy Archival Site on commit issue the following commands from the [edit system] hierarchy;

[edit system]
user@host#set archival configuration archive-site <SCP URL> password <password>

Default Value:

Archival is not configured by default

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-9, CSCv7|10.1, CSCv7|10.4

Plugin: Juniper

Control ID: 4b37540dfde3c4e8c0679432954efe91706933cf4640a8993290409b385aa1b3