[tac_plus] Re: Can you log ping and traceroute commands?

Andy Saykao asaykao at gmail.com
Wed Dec 2 22:17:33 UTC 2009 

Thanks to John and Daniel...


Daniel - you're right on the money. I did have ping defined as a priv-lvl 3
command on the router.

privilege exec level 3 ping ip
privilege exec level 3 ping

Note that if I do not configure "privilege exec level 3 ping ip" it appears
as a priv-lvl1 command.

Thu Dec  3 09:12:08 2009        203.17.101.x   hdtest  tty3    210.15.210.y
  stop    task_id=108     timezone=AEDT   service=shell
start_time=1259791962priv-lvl=1       cmd=ping 210.15.254.x <cr>

Same deal with traceroute. If you want to see the traceroute appear as
something other than a priv-lvl1 command, you need both traceroute and
traceroute ip configured.

Therefore, I will withdraw everything said about the caveats in my earlier
post, however, but be aware that Cisco does place their ping command in
different privilege levels depending on the IOS and/or hardware platform
you're running. For example on 124-24.T1 and 122-31.SB14, ping defaults to a
priv-lvl 1 command but on the newer ASR which we're running 122-33.XNB3, I
have to enable into a higher privilege level to run the ping command (it
does not default to a priv-lvl1 command).

Cheers.

Andy

On Thu, Dec 3, 2009 at 2:48 AM, Schmidt, Daniel
<dan.schmidt at uplinkdata.com>wrote:

> That should not be, Cisco only uses 0,1 and 15 by default.  You have not
> done any privilege exec level commands?
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao
> Sent: Tuesday, December 01, 2009 8:13 PM
> To: john heasley
> Cc: tac_plus at shrubbery.net
> Subject: [tac_plus] Re: Can you log ping and traceroute commands?
>
> Hi All,
>
> Turns out IOS wasn't broken after all. It appears that IOS sees a ping
> command as a priv-lvl 3 command and I didn't have priv-lvl 3 configured
> for
> accounting.
>
> aaa accounting commands 3 default start-stop group tacacs+
>
> A 'debug aaa accounting' helped me figure out that ping command is a
> priv-lvl 3 command.
>
> Dec  2 13:56:29 AEDT: AAA/MEMORY: create_user (0x66146308) user='user1'
> ruser='myrouter' ds0=0 port='tty2' rem_addr='210.15.210.x'
> authen_type=ASCII
> service=NONE priv=3 initial_task_id='0', vrf= (id=0)
>
> Once I added priv-lvl 3 commands to aaa accounting, it showed up in the
> logs
> now.
>
> Wed Dec  2 13:55:58 2009        203.17.101.y   user1 tty2
> 210.15.210.x
> stop    task_id=42      timezone=AEDT   service=shell
> start_time=1259722589 priv-lvl=3       cmd=ping 210.15.254.x <cr>
>
> Just a caveat with this, ping is priv-lvl3 on the two IOS I tested, but
> traceroute showed up as priv-lvl3 using 122-31.SB13 and privi-lvl15
> using
> 124-24.T1. That's Cisco for you with their priv-lvl's...
>
> Glad to finally get to the bottom of this.
>
> Cheers.
>
> Andy
>
> On Fri, Nov 27, 2009 at 5:19 PM, john heasley <heas at shrubbery.net>
> wrote:
>
> > Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao:
> > > Hi All,
> > >
> > > I've set up a hdtest user that can run privilege commands by using
> > > privilege-level 3 and going into "enable 3". Whilst the user can run
> the
> > > privilege commands like ping and traceroute, I am not seeing these
> > commands
> > > appear in the accounting logs for this user.
> > >
> > > It looks like the command 'ping' does not appear anywhere in the log
> even
> > > when I use a privilege-level 15 user, so I can only assume that this
> is
> > the
> > > desired behaviour. But with traceroute, I see it appearing in the
> logs
> > for a
> > > privilege-level 15 user but not for a privilege-level 3 user? Any
> ideas
> > why
> > > this is so or how to see it in the log for a privilege-level 3 user?
> >
> > that'd seem a clear indication that your ios is broken.
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd
> 5/attachment.html<http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd%0A5/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091203/cde3d4ee/attachment.html

More information about the tac_plus mailing list