← 返回
未分类 中文

Config Management

Configuration backup, drift detection, and golden config validation across Cisco IOS-XE/NX-OS, Juniper JunOS, and Arista EOS. Covers running vs startup compa...
支持Cisco IOS-XE/NX-OS、Juniper JunOS和Arista EOS的配置备份、漂移检测和黄金配置验证。涵盖运行配置与启动配置的对比分析。
vahagn-madatyan vahagn-madatyan 来源
未分类 clawhub v1.0.0 1 版本 100000 Key: 无需
★ 0
Stars
📥 435
下载
💾 3
安装
1
版本
#latest

概述

Configuration Management

Ongoing configuration assurance skill covering backup, drift detection, and

golden config validation. This skill identifies unauthorized or unintended

changes by comparing device configurations against known-good baselines and

organizational compliance rules.

Commands are labeled [Cisco], [JunOS], or [EOS] where syntax

diverges. Unlabeled statements apply to all three vendors.

> Safety Note — Read-Write Operations: This skill includes procedures that

> may modify device state (config archival to remote storage, rollback, config

> replace). Steps that write to devices are marked with ⚠️ WRITE. Always

> confirm authorization and maintenance window status before executing write

> operations. Read-only assessment steps can be run at any time without risk.

When to Use

  • Scheduled configuration compliance audit against golden baselines
  • Investigating suspected unauthorized configuration changes
  • Post-maintenance verification that running config was saved to startup
  • Validating configuration consistency across device groups or stacks
  • Checking that security-mandated patterns (AAA, NTP, logging) are present
  • Ensuring forbidden patterns (default credentials, telnet, SNMPv1) are absent
  • Building or refreshing a configuration archive before a change window
  • Periodic drift detection as part of operational hygiene (daily/weekly)

Prerequisites

  • SSH or console access to the device (read-only sufficient for assessment;

enable/configure privilege required for remediation or archival steps)

  • A golden config baseline or previous archived config for comparison
  • Knowledge of organizational compliance requirements: required services (AAA,

NTP, syslog), forbidden protocols (telnet, HTTP management, SNMPv1/v2c

without ACL), and mandatory security features (ACLs, CoPP)

  • For archival: reachable SCP/TFTP/FTP server or local flash storage
  • Awareness of any active maintenance window that may explain expected drift

Procedure

Follow these steps sequentially. Steps 1–2 are always safe (read-only).

Steps 3–7 include optional write operations marked with ⚠️.

Step 1: Config Collection

Capture the current running and startup/saved configurations.

[Cisco]

show running-config
show startup-config

[JunOS]

show configuration | display set
show configuration | compare rollback 0

[EOS]

show running-config
show startup-config

On JunOS, the candidate configuration model means the active config is the

committed config. Use show configuration to view committed state. See

references/cli-reference.md for architectural differences.

Step 2: Running vs Startup Comparison

Detect unsaved changes — running config that would be lost on reload.

[Cisco]

show archive config differences system:running-config nvram:startup-config

[JunOS]

show | compare rollback 0

[EOS]

show running-config diffs

Any differences indicate unsaved changes. Record the diff output and timestamp.

Classify the age of unsaved changes — see Threshold Tables for severity. If

changes are intentional (active maintenance), note the maintenance ticket.

Step 3: Config Archival

⚠️ WRITE — Back up the current configuration with timestamped naming.

[Cisco]

copy running-config tftp://[server]/[hostname]-YYYYMMDD-HHMM.cfg

[JunOS]

request system configuration save /var/tmp/[hostname]-YYYYMMDD-HHMM.conf

[EOS]

copy running-config flash:[hostname]-YYYYMMDD-HHMM.cfg

Use consistent naming: {hostname}-{YYYYMMDD}-{HHMM}.cfg. Verify the backup

was written successfully by checking file size and comparing a hash of the

backup against the running config. Maintain a minimum of 3 archived configs per

device for rollback options.

Step 4: Golden Config Baseline

Retrieve the golden (intended-state) configuration for this device role. Golden

configs are maintained per device role (e.g., access-switch, core-router,

WAN-edge) and contain all mandatory configuration sections.

If no golden config exists yet, establish one:

  1. Start from a known-compliant device config
  2. Remove device-specific values (hostnames, IPs, interface descriptions)
  3. Keep all compliance-mandated sections (AAA, NTP, logging, SNMP, ACLs)
  4. Document the golden config version and approval date

For comparison, normalize both configs before diffing — see

references/drift-detection.md for normalization rules.

Step 5: Drift Detection

Compare current config against the golden baseline section by section.

Partition the configuration into logical sections for structured comparison:

SectionCisco ExamplesJunOS ExamplesEOS Examples
------------------------------------------------------
Routingrouter bgp, router ospfprotocolsrouter bgp, router ospf
Switchingspanning-tree, vlanvlans, protocols rstpspanning-tree, vlan
Securityaccess-list, line vtyfirewall, system loginip access-list, management
Managementlogging, ntp, snmpsystem syslog, system ntplogging, ntp, snmp-server
Servicesip dhcp, ip natforwarding-optionsip dhcp, ip nat

For each section, identify additions, deletions, and modifications compared

to the baseline. Classify each difference by severity — see Threshold Tables.

Step 6: Compliance Validation

Check for required and forbidden configuration patterns.

Required patterns (must be present):

  • AAA authentication configured and active
  • NTP synchronization to authorized time sources
  • Syslog forwarding to centralized logging servers
  • SNMP with ACL restrictions (no unrestricted community strings)
  • Management access restricted to SSH only (no telnet, no HTTP)

Forbidden patterns (must be absent):

  • Default credentials (e.g., username admin password admin)
  • Telnet or HTTP enabled for management (transport input telnet, no ip http secure-server)
  • SNMPv1/v2c without source ACL restriction
  • Unrestricted VTY access (no ACL applied to VTY lines)
  • DHCP snooping or ARP inspection disabled on access ports

Reference references/drift-detection.md for full compliance rule definitions

with vendor-specific pattern matching.

Step 7: Remediation Guidance

⚠️ WRITE — Address drift findings based on severity classification.

For Critical drift (routing, security sections):

  1. Verify if the change was authorized (check change tickets)
  2. If unauthorized, prepare a rollback to the last known-good config
  3. [Cisco] configure replace flash:[backup].cfg force
  4. [JunOS] rollback [n] then commit
  5. [EOS] configure replace flash:[backup].cfg

For Warning drift (management plane, logging):

  1. Document the deviation in the drift report
  2. Schedule remediation during the next maintenance window
  3. Apply missing configuration elements incrementally

For Info drift (cosmetic — descriptions, banners, comments):

  1. Log the deviation for tracking
  2. Remediate opportunistically during scheduled maintenance

After any remediation, re-run Steps 1–2 to confirm the config matches the

intended state and save the corrected running config to startup.

Threshold Tables

Drift Severity by Config Section

Config SectionSeverityRationale
------------------------------------
Routing (BGP, OSPF, static)CriticalDirect traffic impact, potential outage
Security (ACLs, AAA, CoPP)CriticalExposure to unauthorized access
Switching (STP, VLANs)HighLoop risk, VLAN leakage
Management (logging, NTP, SNMP)WarningOperational visibility loss
Services (DHCP, NAT)WarningService-level impact, no network-wide risk
Cosmetic (descriptions, banners)InfoNo operational impact

Unsaved Change Age

AgeSeverityAction
-----------------------
< 1 hourInfoLikely active maintenance — verify with operator
1–4 hoursWarningCheck if maintenance window is active
4–24 hoursHighLikely forgotten save — prompt operator to save or revert
> 24 hoursCriticalUnsaved changes at high risk of loss — immediate save or revert

Config Archive Freshness

Last ArchiveStatusAction
-----------------------------
< 7 daysCurrentNo action needed
7–30 daysStaleSchedule archive refresh
30–90 daysWarningArchive before any changes
> 90 daysCriticalImmediate archive required

Decision Trees

Drift Detected

Drift found between running config and golden baseline
├── Classify section
│   ├── Routing / Security → Critical
│   ├── Switching → High
│   ├── Management / Services → Warning
│   └── Cosmetic → Info
│
├── Check authorization
│   ├── Change ticket exists for this device/window?
│   │   ├── Yes → Authorized drift
│   │   │   ├── Update golden baseline if change is permanent
│   │   │   └── Document as accepted deviation if temporary
│   │   └── No → Unauthorized drift
│   │       ├── Critical/High → Escalate and prepare rollback
│   │       └── Warning/Info → Document and schedule remediation
│   └── Cannot determine → Treat as unauthorized, notify operator
│
└── Remediation path
    ├── Rollback available? (archived config within freshness threshold)
    │   ├── Yes → Apply config replace (Step 7)
    │   └── No → Manual remediation required
    └── Post-remediation → Re-run Steps 1–6 to confirm compliance

Running ≠ Startup

Running config differs from startup config
├── Maintenance window active?
│   ├── Yes → Expected — changes in progress
│   │   └── Remind operator to save when maintenance completes
│   └── No → Unexpected unsaved changes
│       ├── Age < 1 hour → Possible recent change, check with operator
│       ├── Age 1–24 hours → Likely forgotten save
│       │   └── Prompt: save to startup or revert to startup config
│       └── Age > 24 hours → Critical risk
│           └── Immediate action: save or revert, then archive
│
└── Cannot determine age
    └── Check last config change timestamp
        ├── [Cisco] show running-config | include Last config
        ├── [JunOS] show system commit
        └── [EOS] show running-config | include Last modified

Compliance Violation

Required pattern missing or forbidden pattern present
├── Classify violation severity
│   ├── Security (AAA missing, default creds, telnet) → Critical
│   ├── Logging (syslog missing, NTP missing) → Warning
│   └── Best practice (banner missing) → Info
│
├── Auto-remediation candidate?
│   ├── Additive fix (add NTP server, add logging host) → Yes
│   │   └── Generate remediation config snippet
│   │       └── Apply during maintenance window (Step 7)
│   ├── Removal required (remove telnet, remove default creds) → Yes with caution
│   │   └── Verify no dependencies before removing
│   └── Structural change (enable AAA, reconfigure SNMP) → No — manual review
│       └── Create change request for manual implementation
│
└── Document in compliance report with violation details

Report Template

CONFIGURATION MANAGEMENT REPORT
=================================
Device: [hostname]
Vendor: [Cisco | JunOS | EOS]
Device Role: [access-switch | core-router | WAN-edge | ...]
Check Time: [timestamp]
Performed By: [operator/agent]
Golden Config Version: [version/date]

SAVED STATE:
- Running vs Startup: [Match | Differs]
- Unsaved change age: [duration or N/A]
- Last archive date: [date]
- Archive freshness: [Current | Stale | Warning | Critical]

DRIFT SUMMARY:
- Sections checked: [n]
- Deviations found: [n]
  - Critical: [n] | High: [n] | Warning: [n] | Info: [n]

DRIFT FINDINGS:
1. [Severity] [Section] — [Description]
   Golden: [expected config line/block]
   Current: [actual config line/block]
   Authorization: [ticket# | Unauthorized | Unknown]
   Action: [Rollback | Schedule fix | Accept | Update baseline]

COMPLIANCE STATUS:
- Required patterns: [n/total] present
- Forbidden patterns: [n] found
- Violations:
  1. [Severity] [Rule] — [detail]

REMEDIATION ACTIONS:
- [Prioritized action list with target maintenance window]

NEXT CHECK: [CRITICAL: 4hr | HIGH: 8hr | WARNING: 24hr | HEALTHY: 7d]

Troubleshooting

Config Diff Shows False Positives

Diffs include generated lines (timestamps, certificate hashes, build

information) that change between captures but are not real drift. Normalize

configs before comparison by stripping timestamps, build strings, and

auto-generated comments. See references/drift-detection.md for normalization

patterns per vendor.

JunOS Candidate Config Confusion

JunOS uses a candidate-commit model. show configuration displays committed

(active) config. Uncommitted candidate changes appear only with `show |

compare`. If drift analysis shows differences between a JunOS device and its

golden config, verify that no uncommitted candidate changes are pending —

uncommitted changes do not affect the running device but will take effect on

next commit.

Archive Transfer Failures

Config export to remote servers may fail due to: ACL on the device blocking

outbound SCP/TFTP, DNS resolution failure for server hostname, authentication

failure on SCP, or insufficient flash space for local copy. Test connectivity

with ping first, verify SCP credentials, and check available flash space with

dir flash: (Cisco/EOS) or file list /var/tmp/ (JunOS).

Large Config Diff Overwhelms Analysis

Configs exceeding 10,000 lines produce diffs that are difficult to analyze

holistically. Break the comparison into the section categories from Step 5 and

analyze one section at a time. Prioritize sections by severity tier from the

Threshold Tables. For structured configs (JunOS set-format, EOS section mode),

sort lines before diffing to reduce positional noise.

Compliance Rule Vendor Variations

The same security requirement maps to different config syntax per vendor. For

example, disabling telnet: Cisco uses transport input ssh on VTY lines, JunOS

uses delete system services telnet, and EOS uses no management telnet.

Reference references/drift-detection.md for vendor-specific compliance

patterns to avoid false positives or missed violations.

版本历史

共 1 个版本

  • v1.0.0 当前
    2026-03-31 03:09 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

it-ops-security

MoltGuard - Security & Antivirus & Guardrails

thomaslwang
MoltGuard — OpenClaw 安全守卫,由 OpenGuardrails 提供。安装后可防止您和您的用户受到提示注入、数据泄露及恶意行为的侵害。
★ 116 📥 31,047
it-ops-security

1password

steipete
设置和使用 1Password CLI (op)。适用于:安装 CLI、启用桌面应用集成、登录(单/多账户)、通过 op 读取/注入/运行密钥。
★ 53 📥 31,997
it-ops-security

Free Ride - Unlimited free AI

shaivpidadi
管理OpenClaw的OpenRouter免费AI模型,自动按质量排名模型,配置速率限制备用方案,并更新opencla...
★ 472 📥 78,795