[logs] Re: PIX configuration change logging

From: Cerrato, Peter (Peter.Cerrato@private)
Date: Mon Oct 02 2006 - 15:21:16 PDT 

Hello Paul,

This message from R.L. Nevot [r.nevot@private] seems to indicate that
we should see the exact commands that are executed:

"As fas as I know, this is done by default, sure you only have to
increase logging level: 
Sep  8 11:04:30 pix Sep 08 2006 11:04:29: 
%PIX-5-111008: User 'enable_15' executed the 'no access-list ...'
command.
Sep  8 11:04:44 pix Sep 08 2006 11:04:43: 
%PIX-7-111009: User 'enable_15' executed cmd: show access-list ... 
See the cisco documentation to know the meaning of messages 5-111008 and
7-111009"

We will test this out in our lab and let the list know.

I am also curious what the output will look like for commands excuted
via the PDM.

thanks,

Peter

-----Original Message-----
From: Paul Melson [mailto:pmelson@private] 
Sent: Monday, October 02, 2006 2:01 PM
To: Cerrato, Peter; loganalysis@private
Subject: RE: [logs] PIX configuration change logging


-----Original Message-----
Subject: RE: [logs] PIX configuration change logging

> We found this :
>
> %PIX-5-111008: User 'user' executed the 'cmd' command.
>
> Explanation   This message indicates that a command change to the
> configuration has been made from an AAA authenticated session.
>
> here :
>
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_me
ssag
e_guide_chapter09186a00800891c4.html
>
>
> Still looking into how we implement this.

Add the following lines to your PIX config:

logging enable
logging trap debugging
logging host inside [syslog server IP] udp/514

Then, when those messages are generated, they will appear in your syslog
stream.  But know that this will be a lot of syslog traffic on a busy
firewall, so don't implement this without proper planning and testing.  

Even so, that message doesn't mean what you may think it does.  The
'cmd' that you are going to see pretty much all of the time is 'enable'.
Sure it will tell you who modified the configuration and when (assuming
you have AAA set up for telnet/enable), but it won't audit the
configuration for you. You'll need a third party tool to do that.

PaulM


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

This archive was generated by hypermail 2.1.3 : Mon Oct 02 2006 - 19:28:29 PDT