[tac_plus] logging all commands run

Alan McKinnon alan.mckinnon at gmail.com
Mon Apr 14 14:27:32 UTC 2014 

On 14/04/2014 14:55, Munroe Sollog wrote:
> So the next tribulation in my quest for a fully auditing network environment is to have tacacs+
> log _every_ command.
> 
> group = techs {
>         service = exec {
>                 priv-lvl=2
> 	}
>     cmd = show {
>              permit .*
>            }
>     cmd = exit {
>             permit .*
>             }
>    cmd = enable {
>            permit .*
>         }
> }
> 
> 
> When a member of this group issues the command 'show interface status' nothing is logged.  My best
> guess as to why nothing is logged is because a 'normal' priv-lvl 1 user has access to that command
> and thus there is no reason to do the authorization step, and thus it doesn't get logged.  Is
> there a way to force logging for everything entered?  I'm willing to entertain some creative
> solutions.
> 
> Thanks.
> - Munroe


Do you want to log every command entered, or every command run?

For the former, use tacacs accounting.
For the latter, use the -d 8 option to tac_plus (this makes your logs
very verbose)

A useful thing to keep in mind is what tac_plus does when it logs. It's
not a tacacs log, it's a Unix daemon log and it's recording the state of
the daemon. Any information about the tacacs exchange is a lucky
side-effect.

Accounting does give you all commands run, but obviously not those that
failed authorization. Accounting is to record events that happened, not
things that were denied.



A further option that requires some work on your part is to use the pre-
and post-authorization hooks provided in tac_plus. It's described rather
well in the manual file shipped in the tarball - tac_plus will call a
custom script that you write and all info you could find useful are
available as parameters (username, source address, port, device address,
port and more). Getting the command run is quirky - it's not a
parameter; tac_plus writes it to STDOUT as a sequence of key-value pairs
which you have to read and assemble. The command is tokenized into
words, the first is the "command" all others are "arguments". Like this:

cmd=show
cmd_arg=ip
cmd_arg=interface
cmd_arg=brief


Tacacs AV pairs requested by the router are sent similarly.

Use the pre-auth hook and your script should write a log entry and exit
with exit code 0. tac_plus will then continue doing it's usual
authorization. You won't need accounting logs for this purpose if you
follow this route.




-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list