STD-005: Change Control

Every configuration change follows verify-change-verify. No exceptions. This standard applies to CLI commands, ISE policies, firewall rules, SSH configs, sed in-place editing, and any operation that modifies system state.

Principles

Verify before AND after. If you don’t capture the before state, you can’t prove what you changed. If you don’t verify after, you don’t know if it worked.
Commands are idempotent where possible. A command run twice MUST produce the same result as running it once. Use grep -q guards and conditional logic.
Separate verification from mutation. Never combine the check and the change in a single command. Three distinct steps: observe, change, confirm.

Requirements

Every configuration change MUST be preceded by a verification command that captures the before state.
Every configuration change MUST be followed by a verification command that confirms the after state.
The verification pattern MUST be: before → change → after.
Verification commands MUST target the specific line, field, or value being changed — not the entire file.
Commands SHOULD be idempotent. Use conditional guards (grep -q, test -f, systemctl is-active) before making changes.
Grouped commands are permitted ONLY when they form a single indivisible logical unit (e.g., a variable assignment and its immediate consumer).
Placeholders in documentation MUST be followed by a concrete example.

The Pattern

# BEFORE — capture current state
sudo awk 'NR==73' /etc/ssh/sshd_config

# CHANGE — apply modification
sudo sed -i '73s/#GSSAPIAuthentication no/GSSAPIAuthentication yes/' /etc/ssh/sshd_config

# AFTER — verify the change took effect
sudo awk 'NR==73' /etc/ssh/sshd_config

Compliance

Check Method Pass Criterion

Check	Method	Pass Criterion
Before state captured	Every change command is preceded by a read command targeting the same resource	No "blind" changes
After state verified	Every change command is followed by a verification	Change confirmed in output
Targeted verification	Verification commands use line numbers, field selectors, or value matching — not `cat entire-file`	Specific, not broad
Idempotent where possible	Repeated execution produces same result	No side effects on re-run

Before state captured

Every change command is preceded by a read command targeting the same resource

No "blind" changes

After state verified

Every change command is followed by a verification

Change confirmed in output

Targeted verification

Verification commands use line numbers, field selectors, or value matching — not cat entire-file

Specific, not broad

Idempotent where possible

Repeated execution produces same result

No side effects on re-run

Platform Adaptation

This standard applies uniformly across all platforms. The verification commands vary by tool:

Tool Before / After Change

Tool	Before / After	Change
`sed -i`	`awk 'NR==N'` or `grep pattern`	`sed -i 's/old/new/'`
`nmcli`	`nmcli connection show <name> \| grep <field>`	`nmcli connection modify <name> <setting> <value>`
ISE Policy	Export current policy via ERS API	Apply change via API or GUI
Firewall	`sudo ufw status` / `firewall-cmd --list-all`	`ufw allow` / `firewall-cmd --add-rule`

sed -i

awk 'NR==N' or grep pattern

sed -i 's/old/new/'

nmcli

nmcli connection show <name> | grep <field>

nmcli connection modify <name> <setting> <value>

ISE Policy

Export current policy via ERS API

Apply change via API or GUI

Firewall

sudo ufw status / firewall-cmd --list-all

ufw allow / firewall-cmd --add-rule

Exceptions

Emergency break-fix scenarios MAY defer the before-capture when system availability is at immediate risk, but the after-verification is NEVER optional. The before-state gap MUST be documented in the incident report.

Change Management Patterns — the field notebook entries that originated this standard
RCA Patterns — what to do when changes cause failures
STD-002: Deployment Validation — systematic post-change verification