V-220566

Discussion

System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.

Check Content

Review the Cisco switch configuration to verify that it is configured to automatically back up its running configuration to a remote server when a change is made. The example configuration below will send the configuration to a SCP server when a configuration change occurs.

Verify that an Embedded Event Manager (EEM) applet is configured to trigger on the syslog message "%SYS-5-CONFIG_I".

Verify the EEM applet contains an action to copy the running configuration to a secure server (e.g., SCP).

Verify the command authorization bypass is present within the applet to ensure it executes correctly under AAA.

Verify the global command file prompt quiet is configured to prevent the applet from timing out.

Verify the authentication method used for the file transfer:

The command "copy running-config scp://<username>@<x.x.x.x>/<path_on_server>/$_info_routername-running-config".

Note: The absence of a password indicates the use of secure public/private key authentication.

If the Cisco switch is not configured to conduct automated backups of the configuration when changes occur, or if it does so using an insecure method like a cleartext password, this is a finding.