Auditing

Started by icecream-guy, October 05, 2017, 11:52:23 AM

Previous topic - Next topic

icecream-guy

so what is it that you guys are using for auditing and reporting?

things like when a switch or firewall config gets changed
or when a user fails 10 consecutive logins.
or when the process that emails the boss about the 10 failed logins fails to trigger..
stuff like that
:professorcat:

My Moral Fibers have been cut.

mlan

We are currently using Solarwinds Orion modules for many of these auditing and alerting requirements.

deanwebb

Firewall config tracking: Tufin is amazing. Get your hands on that.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

For config changes we use RANCID. Get an email with a diff of all changes. We have it running on a schedule, and also have a small script that triggers whenever a syslog message is received for entering config mode that forces a check of that specific device.

For any security stuff like failed logins we have a SOC that alerts us. They will catch our RANCID user when we forget to update the password in time so I know they see it. How they do it I have no clue. I know a lot of people are really big on Splunk now, but it isn't cheap or easy to setup.

-Otanx