sunhux
asked on
"aaa accounting commands 0" is more secure than "... 15"
Network team lead argued that audit finding for following Cisco item
is not valid:
>aaa accounting commands 0 default start-stop group XX_TAC
which Audit recommends (as per CIS benchmark) should be:
>aaa accounting commands 15 default start-stop group XX_TAc
Network team lead argued that 0 is equally or more secure
than 15.
I'm no network engr, so anyone care to comment? Any
other authoritative sources (beside CIS) will be helpful
is not valid:
>aaa accounting commands 0 default start-stop group XX_TAC
which Audit recommends (as per CIS benchmark) should be:
>aaa accounting commands 15 default start-stop group XX_TAc
Network team lead argued that 0 is equally or more secure
than 15.
I'm no network engr, so anyone care to comment? Any
other authoritative sources (beside CIS) will be helpful
ASKER
>aaa accounting commands 0 default start-stop group XX_TAC
If the value is set to 0 instead of what's given by the Cisco link above,
what does it mean?
If the value is set to 0 instead of what's given by the Cisco link above,
what does it mean?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
15 will report all accounting.
0 will report a smaller subset
https://community.cisco.com/t5/policy-and-access/configure-aaa-accounting/td-p/2877444
This is an accounting setting, to be sent/logged
Do you also have result logging going to external syslog?
0 will report a smaller subset
https://community.cisco.com/t5/policy-and-access/configure-aaa-accounting/td-p/2877444
This is an accounting setting, to be sent/logged
Do you also have result logging going to external syslog?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks Justin for clarifying, the config seem Interested I accounting for elevated access accounting.
Much depends on device use and whether the other levels are of interest, import.
Much depends on device use and whether the other levels are of interest, import.
ASKER
Below are the 3 lines we currently have in our core switch:
aaa accounting exec default start-stop group xx_TAC <== for this line, we don't need to specify 0, 1 or 15, right?
aaa accounting commands 0 default start-stop group xx_TAC
aaa accounting commands 15 vty start-stop group xx_TAC
So we're missing:
aaa accounting commands 15 default start-stop group xx_TAC
aaa accounting exec default start-stop group xx_TAC <== for this line, we don't need to specify 0, 1 or 15, right?
aaa accounting commands 0 default start-stop group xx_TAC
aaa accounting commands 15 vty start-stop group xx_TAC
So we're missing:
aaa accounting commands 15 default start-stop group xx_TAC
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If all users who manage the device/s are local, and only 802.1x or VPN connections rely on aaa.
Deals with whether you have a centrally managed device access control beyond .....