[j-nsp] Supporting Audit Requirements in JUNOS

[Christian Koch]

Hello Stefan -

I have been going through multiple SAS70's for the past year now...

however, we have a change management process, which changes need to go
through in order for a change to be allowed. so everything is all
documented..

submit change request - review - approve - push change - archive/document

i realize this may not be feasible for everyone and being in different
situations, environments, etc.. but its not too much of a hassle, also if
you are using something like rancid, or some script or
other network management product to fetch and save configs when changes are
made, i think you are in the clear.


on a side note, if the commit script thing works well, i think that's an
awesome idea


christian




On Tue, Jul 22, 2008 at 3:38 PM, Stefan Fouant <sfouant at gmail.com> wrote:

> Hi folks,
>
> As part of SAS 70 Audit requirements, I need to ensure that anytime a
> firewall change is made on my routers a description of that change is
> recorded.  I suppose I could force this by using commit scripts and
> forcing the use of "annotate" on anything in the firewall-filters
> stanza, although this could be rather unwieldy in it's implementation.
>  My preference would be to ensure that anytime the configuration is
> committed a 'commit comment <comment>' is used, but doesn't seem that
> I can use commit-scripts to force that since a commit is not a
> configuration variable.  I wonder if I could use "allow-commands" or
> "deny-commands" to accomplish something along these lines...
>
> Has anyone attempted anything similar?  What have you folks done to
> support SAS 70 Audit requirements?
>
> Thanks,
>
> --
> Stefan Fouant
> Principal Network Engineer
> NeuStar, Inc. - http://www.neustar.biz
> GPG Key ID: 0xB5E3803D
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>