Configuration-Change Logging

Fleischen · ‎03-16-2016

Hello,

How do I comply with PCI DSS requirement 10.2.2 when using a Procurve switch?
(https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf)

The core of this requirment is that all changes done on the switch must be logged. Using "logging notify running-config-change" only notifies that a change has been made not what was changed. And also send it to a syslog server.

On a cisco switch it is quite easy:

(http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html) Chapter "Enabling the Configuration-Change Logger"

How do I do it on a procurve switch?

Thanks!

Dave Harrold · ‎03-16-2016

This is what I did to meet that requirement for a customer. They are using IMC for management, so that is the IP address used.

config t
logging <log-host-ip>
logging facility syslog
logging notify running-config-change transmission-interval 10
aaa accounting exec start-stop syslog
aaa accounting commands stop-only syslog
end

Dave

Fleischen · ‎03-17-2016

Hi,

I have done some more investigation and I can only run the following command syslog is not supported on my 2910al:

aaa accounting commands stop-only radius

The switch send the accounting to the microsoft NPS server and In the logfile I see this:

<Vendor-Specific data_type="2">0000000B020C73686F7720766C616E73</Vendor-Specific>

The above when translated from hexadecimal to "Show vlans" which was the command I issued. How do I get the NPS to convert this from Hexadecimal to string?

Stephen A Swain · ‎03-28-2016

2910al does support "logging notify running...", you may need to upgrade firmware to the latest available (I'm using W.15.14.0011).

Regarding NPS and hex to string, you'd probably need to use a platform that supports the vendor specific attribute described. I'd assume that would be a HPE product, like IMC. Unfortunely I don't use that, so I can't check...