[tac_plus] logging all commands run
Alan McKinnon
alan.mckinnon at gmail.com
Mon Apr 14 14:55:16 UTC 2014
On 14/04/2014 16:38, Munroe Sollog wrote:
> I am using accounting. The behavior though is a bit confusing to me. For example, the user
> 'luser' has the following stanza in the tac_plus.conf:
>
> user = luser {
> default service = permit
> login = file /usr/local/etc/tac_passwd_file
> service = exec {
> priv-lvl = 2
> }
> cmd = show {
> permit .*
> }
> }
>
> The following is an excerpt from the accounting log as well as the actual switch session. As you
> can see the first time I try 'conf t' nothing is logged, when I am still priv-lvl 2 and run 'show
> interface status' nothing is logged. However, after I 'enable' (typoed the password the first
> time) and then run a 'do show interface status' then it is logged. I'm wondering why isn't my
> 'show interface status' logged the first time.
>
>
> ====tacacs accounting log====
>
> Apr 14 10:30:46 192.168.1.126 luser tty2 192.168.1.76 start task_id=334 timezone=UTC
> service=shell start_time=1397485846
> Apr 14 10:31:01 192.168.1.126 luser tty2 192.168.1.76 stop task_id=334 timezone=UTC
> service=shell start_time=1397485861 priv-lvl=0 cmd=enable <cr>
> Apr 14 10:31:07 192.168.1.126 luser tty2 192.168.1.76 stop task_id=335 timezone=UTC
> service=shell start_time=1397485867 priv-lvl=0 cmd=enable <cr>
> Apr 14 10:31:12 192.168.1.126 luser tty2 192.168.1.76 stop task_id=336 timezone=UTC
> service=shell start_time=1397485872 priv-lvl=15 cmd=configure terminal <cr>
> Apr 14 10:31:16 192.168.1.126 luser tty2 192.168.1.76 stop task_id=337 timezone=UTC
> service=shell start_time=1397485876 priv-lvl=15 cmd=do sho interface status <cr>
>
>
>
>
> =======switch session=====
> $ ssh luser at 192.168.1.126
> Password:
>
> Switch#show interface status
>
> Port Name Status Vlan Duplex Speed Type
> Gi0/1 this is int 1 connected 1 a-full a-1000 10/100/1000BaseTX
> Gi0/2 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/3 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/4 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/5 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/6 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/7 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/8 connected 1 a-full a-1000 10/100/1000BaseTX
> Switch#conf t
> ^
> % Invalid input detected at '^' marker.
>
> Switch#enable
> Password:
> % Error in authentication.
>
> Switch#enable
> Password:
> Switch#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Switch(config)#do sho interface status
>
> Port Name Status Vlan Duplex Speed Type
> Gi0/1 this is int 1 connected 1 a-full a-1000 10/100/1000BaseTX
> Gi0/2 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/3 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/4 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/5 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/6 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/7 notconnect 1 auto auto 10/100/1000BaseTX
> Gi0/8 connected 1 a-full a-1000 10/100/1000BaseTX
> Switch(config)#
If a command isn't being logged in the accounting logs it's because the
router never sent it to the tacacs server to be logged; if the router
does send it then tac_plus will log it. You can verify this by enabling
accounting debugging, check the tac_plus man page for the -d option
Examine closely your AAA settings on the router to see how accounting is
set up there.
--
Alan McKinnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list