Using iControl for PCI Compliance

Option 1:

 

If all you want to do is check "if" anything has changed, why don't you use the iControl System.ConfigSync interface to pull down the raw bigip.conf and bigip_base.conf files at regular intervals. You can compare them with a file diff to determine if their contents have changed (thus a system change).

 

 

There are a couple of gotchas with this approach:

 

 

1. This won't cover things like snmp that are not stored in the bigip.conf and bigip_base.conf files

 

 

2. It will only show things that have been persisted to disk. bigpipe commands and iControl calls are not by default. You must issue a "b save" or the equivalent iControl call to flush the changes to disk.

 

 

3. This will not cover users logging in. It will only cover configuration changes made.

 

 

but it should be a very quick way to determine if anything has changed.

 

 

Option 2:

 

 

Again, use the System.ConfigSync commands to create .ucs archives of the entire configuration and download that with the methods in that interface. You can then do a byte-wise diff on the archive to determine file diffs. This would be more exhaustive than Option 1 but would require more overhead.

 

 

Option 3:

 

 

Use the iControl Event API to setup a listener to receive change notification events when they happen. Keep in mind that this may lead to some false alerts as nodes up/down due to monitors have their state changed and will be alerted via this mechanism when that wasn't actually a manual change.

 

 

I'm sure there are some other options, but it's late and my brain is already asleep. If anything else comes to me, I'll let you know.

 

 

If any of these options sounds interesting to you, let me know and I can provide more details on how to implement them.

 

 

Hope this helps...

 

 

-Joe