[tac_plus] logging all commands run
Munroe Sollog
mus3 at Lehigh.EDU
Mon Apr 14 17:27:08 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think I figured it out. I had:
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
but when I added:
aaa accounting commands 1 default start-stop group tacacs+
all of the commands I noticed weren't being logged started showing up.
With regard to your concern about custom priv levels, it was something I went back and forth on.
My current rationale is, I want the tac_config simple without having to enumerate dozens of
commands and their variants. For example, I wanted my lowest level techs to be able to run 'show
logging' which by default is a priv-15 command. When logged in at priv-1, even if I explicitly
allowed that command the switch wouldn't recognize it. That being the case, I would have to give
everyone priv-lvl 15 access and be extra careful to explicitly allow only the commands I want them
to run. That seems like a lot more work than moving 'show logging' down to a lower privilege
level and keeping the techs away from priv-lvl 15.
But that is just my current rationale, if there is a better idea, I'm not married to it.
- - Munroe
On 04/14/2014 01:16 PM, Daniel Schmidt wrote:
> Hint: aaa accounting commands ....
>
> Not sure why you are using cutom priv levels rather than authorization
>
>
> On Mon, Apr 14, 2014 at 8:55 AM, Alan McKinnon <alan.mckinnon at gmail.com>wrote:
>
>> On 14/04/2014 16:38, Munroe Sollog wrote:
>>> I am using accounting. The behavior though is a bit confusing to me.
>> For example, the user
>>> 'luser' has the following stanza in the tac_plus.conf:
>>>
>>> user = luser { default service = permit login = file /usr/local/etc/tac_passwd_file service
>>> = exec { priv-lvl = 2 } cmd = show { permit .* } }
>>>
>>> The following is an excerpt from the accounting log as well as the
>> actual switch session. As you
>>> can see the first time I try 'conf t' nothing is logged, when I am still
>> priv-lvl 2 and run 'show
>>> interface status' nothing is logged. However, after I 'enable' (typoed
>> the password the first
>>> time) and then run a 'do show interface status' then it is logged. I'm
>> wondering why isn't my
>>> 'show interface status' logged the first time.
>>>
>>>
>>> ====tacacs accounting log====
>>>
>>> Apr 14 10:30:46 192.168.1.126 luser tty2 192.168.1.76
>> start task_id=334 timezone=UTC
>>> service=shell start_time=1397485846 Apr 14 10:31:01 192.168.1.126 luser tty2
>>> 192.168.1.76
>> stop task_id=334 timezone=UTC
>>> service=shell start_time=1397485861 priv-lvl=0 cmd=enable <cr> Apr 14 10:31:07
>>> 192.168.1.126 luser tty2 192.168.1.76
>> stop task_id=335 timezone=UTC
>>> service=shell start_time=1397485867 priv-lvl=0 cmd=enable <cr> Apr 14 10:31:12
>>> 192.168.1.126 luser tty2 192.168.1.76
>> stop task_id=336 timezone=UTC
>>> service=shell start_time=1397485872 priv-lvl=15 cmd=configure
>> terminal <cr>
>>> Apr 14 10:31:16 192.168.1.126 luser tty2 192.168.1.76
>> stop task_id=337 timezone=UTC
>>> service=shell start_time=1397485876 priv-lvl=15 cmd=do sho
>> interface status <cr>
>>>
>>>
>>>
>>>
>>> =======switch session===== $ ssh luser at 192.168.1.126 Password:
>>>
>>> Switch#show interface status
>>>
>>> Port Name Status Vlan Duplex Speed Type Gi0/1 this is
>>> int 1 connected 1 a-full a-1000
>> 10/100/1000BaseTX
>>> Gi0/2 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/3 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/4 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/5 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/6 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/7 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/8 connected 1 a-full a-1000
>> 10/100/1000BaseTX
>>> Switch#conf t ^ % Invalid input detected at '^' marker.
>>>
>>> Switch#enable Password: % Error in authentication.
>>>
>>> Switch#enable Password: Switch#conf t Enter configuration commands, one per line. End with
>>> CNTL/Z. Switch(config)#do sho interface status
>>>
>>> Port Name Status Vlan Duplex Speed Type Gi0/1 this is
>>> int 1 connected 1 a-full a-1000
>> 10/100/1000BaseTX
>>> Gi0/2 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/3 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/4 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/5 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/6 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/7 notconnect 1 auto auto
>> 10/100/1000BaseTX
>>> Gi0/8 connected 1 a-full a-1000
>> 10/100/1000BaseTX
>>> Switch(config)#
>>
>>
>> If a command isn't being logged in the accounting logs it's because the router never sent it
>> to the tacacs server to be logged; if the router does send it then tac_plus will log it. You
>> can verify this by enabling accounting debugging, check the tac_plus man page for the -d
>> option
>>
>> Examine closely your AAA settings on the router to see how accounting is set up there.
>>
>> -- Alan McKinnon alan.mckinnon at gmail.com
>>
>> _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
> E-Mail to and from me, in connection with the transaction of public business, is subject to the
> Wyoming Public Records Act and may be disclosed to third parties. -------------- next part
> -------------- An HTML attachment was scrubbed... URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140414/22c9c36c/attachment.html>
> _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
- --
Munroe Sollog
LTS - Network Analyst
x85002
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQEcBAEBAgAGBQJTTBpsAAoJEPbbZiWCKDVC7FsH+wZe+HujqupQrMhh1elrkjYN
p44PRY1flIUw1Hi9htlD3zlgP+okSWCD3ixVzi3maTWaHo80Wvck6syJYmszLgv0
XJc3lRNgphgUMz4Ifaq1HCqTqzsmaAsIORl56SVkngFn83isxYrb2mfNilEW1k+n
G0rYjBPSKidRjcsJzqS3I2/r6P1aHwjsApgDPLl1pfpSgFtjX/xmnNIkx6b7FCam
4haRLE4IHrLvoNtx5rOs3piuHSvBENTeUotsucePcsyhxxJS55jX1aUbD/r6rGz9
5JyW77GIrC2qJbOmVfV7Msh+f9hWF9/t/ui6dC6MvSRkJZY++fHffUw3mGnN/hs=
=JjSo
-----END PGP SIGNATURE-----
More information about the tac_plus
mailing list