[tac_plus] logging all commands run

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Apr 14 17:16:24 UTC 2014 

Hint: aaa accounting commands ....

Not sure why you are using cutom priv levels rather than authorization


On Mon, Apr 14, 2014 at 8:55 AM, Alan McKinnon <alan.mckinnon at gmail.com>wrote:

> On 14/04/2014 16:38, Munroe Sollog wrote:
> > I am using accounting.  The behavior though is a bit confusing to me.
>  For example, the user
> > 'luser' has the following stanza in the tac_plus.conf:
> >
> > user = luser {
> >      default service = permit
> >      login = file /usr/local/etc/tac_passwd_file
> >      service = exec {
> >              priv-lvl = 2
> >              }
> >      cmd = show {
> >            permit .*
> >            }
> > }
> >
> > The following is an excerpt from the accounting log as well as the
> actual switch session.  As you
> > can see the first time I try 'conf t' nothing is logged, when I am still
> priv-lvl 2 and run 'show
> > interface status' nothing is logged.  However, after I 'enable' (typoed
> the password the first
> > time) and then run a 'do show interface status' then it is logged.  I'm
> wondering why isn't my
> > 'show interface status' logged the first time.
> >
> >
> > ====tacacs accounting log====
> >
> > Apr 14 10:30:46       192.168.1.126   luser   tty2    192.168.1.76
>  start   task_id=334     timezone=UTC
> > service=shell start_time=1397485846
> > Apr 14 10:31:01       192.168.1.126   luser   tty2    192.168.1.76
>  stop    task_id=334     timezone=UTC
> > service=shell start_time=1397485861   priv-lvl=0      cmd=enable <cr>
> > Apr 14 10:31:07       192.168.1.126   luser   tty2    192.168.1.76
>  stop    task_id=335     timezone=UTC
> > service=shell start_time=1397485867   priv-lvl=0      cmd=enable <cr>
> > Apr 14 10:31:12       192.168.1.126   luser   tty2    192.168.1.76
>  stop    task_id=336     timezone=UTC
> > service=shell start_time=1397485872   priv-lvl=15     cmd=configure
> terminal <cr>
> > Apr 14 10:31:16       192.168.1.126   luser   tty2    192.168.1.76
>  stop    task_id=337     timezone=UTC
> > service=shell start_time=1397485876   priv-lvl=15     cmd=do sho
> interface status <cr>
> >
> >
> >
> >
> > =======switch session=====
> > $ ssh luser at 192.168.1.126
> > Password:
> >
> > Switch#show interface status
> >
> > Port      Name               Status       Vlan       Duplex  Speed Type
> > Gi0/1     this is int 1      connected    1          a-full a-1000
> 10/100/1000BaseTX
> > Gi0/2                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/3                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/4                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/5                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/6                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/7                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/8                        connected    1          a-full a-1000
> 10/100/1000BaseTX
> > Switch#conf t
> >           ^
> > % Invalid input detected at '^' marker.
> >
> > Switch#enable
> > Password:
> > % Error in authentication.
> >
> > Switch#enable
> > Password:
> > Switch#conf t
> > Enter configuration commands, one per line.  End with CNTL/Z.
> > Switch(config)#do sho interface status
> >
> > Port      Name               Status       Vlan       Duplex  Speed Type
> > Gi0/1     this is int 1      connected    1          a-full a-1000
> 10/100/1000BaseTX
> > Gi0/2                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/3                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/4                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/5                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/6                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/7                        notconnect   1            auto   auto
> 10/100/1000BaseTX
> > Gi0/8                        connected    1          a-full a-1000
> 10/100/1000BaseTX
> > Switch(config)#
>
>
> If a command isn't being logged in the accounting logs it's because the
> router never sent it to the tacacs server to be logged; if the router
> does send it then tac_plus will log it. You can verify this by enabling
> accounting debugging, check the tac_plus man page for the -d option
>
> Examine closely your AAA settings on the router to see how accounting is
> set up there.
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140414/22c9c36c/attachment.html>

More information about the tac_plus mailing list