[tac_plus] logging all commands run

Munroe Sollog mus3 at Lehigh.EDU
Mon Apr 14 17:27:08 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think I figured it out.  I had:

aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

but when I added:
aaa accounting commands 1 default start-stop group tacacs+

all of the commands I noticed weren't being logged started showing up.

With regard to your concern about custom priv levels, it was something I went back and forth on.
My current rationale is, I want the tac_config simple without having to enumerate dozens of
commands and their variants.  For example, I wanted my lowest level techs to be able to run 'show
logging' which by default is a priv-15 command.  When logged in at priv-1, even if I explicitly
allowed that command the switch wouldn't recognize it.  That being the case, I would have to give
everyone priv-lvl 15 access and be extra careful to explicitly allow only the commands I want them
to run.  That seems like a lot more work than moving 'show logging' down to a lower privilege
level and keeping the techs away from priv-lvl 15.

But that is just my current rationale, if there is a better idea, I'm not married to it.

- - Munroe

On 04/14/2014 01:16 PM, Daniel Schmidt wrote:
> Hint: aaa accounting commands ....
> 
> Not sure why you are using cutom priv levels rather than authorization
> 
> 
> On Mon, Apr 14, 2014 at 8:55 AM, Alan McKinnon <alan.mckinnon at gmail.com>wrote:
> 
>> On 14/04/2014 16:38, Munroe Sollog wrote:
>>> I am using accounting.  The behavior though is a bit confusing to me.
>> For example, the user
>>> 'luser' has the following stanza in the tac_plus.conf:
>>> 
>>> user = luser { default service = permit login = file /usr/local/etc/tac_passwd_file service
>>> = exec { priv-lvl = 2 } cmd = show { permit .* } }
>>> 
>>> The following is an excerpt from the accounting log as well as the
>> actual switch session.  As you
>>> can see the first time I try 'conf t' nothing is logged, when I am still
>> priv-lvl 2 and run 'show
>>> interface status' nothing is logged.  However, after I 'enable' (typoed
>> the password the first
>>> time) and then run a 'do show interface status' then it is logged.  I'm
>> wondering why isn't my
>>> 'show interface status' logged the first time.
>>> 
>>> 
>>> ====tacacs accounting log====
>>> 
>>> Apr 14 10:30:46       192.168.1.126   luser   tty2    192.168.1.76
>> start   task_id=334     timezone=UTC
>>> service=shell start_time=1397485846 Apr 14 10:31:01       192.168.1.126   luser   tty2
>>> 192.168.1.76
>> stop    task_id=334     timezone=UTC
>>> service=shell start_time=1397485861   priv-lvl=0      cmd=enable <cr> Apr 14 10:31:07
>>> 192.168.1.126   luser   tty2    192.168.1.76
>> stop    task_id=335     timezone=UTC
>>> service=shell start_time=1397485867   priv-lvl=0      cmd=enable <cr> Apr 14 10:31:12
>>> 192.168.1.126   luser   tty2    192.168.1.76
>> stop    task_id=336     timezone=UTC
>>> service=shell start_time=1397485872   priv-lvl=15     cmd=configure
>> terminal <cr>
>>> Apr 14 10:31:16       192.168.1.126   luser   tty2    192.168.1.76
>> stop    task_id=337     timezone=UTC
>>> service=shell start_time=1397485876   priv-lvl=15     cmd=do sho
>> interface status <cr>
>>> 
>>> 
>>> 
>>> 
>>> =======switch session===== $ ssh luser at 192.168.1.126 Password:
>>> 
>>> Switch#show interface status
>>> 
>>> Port      Name               Status       Vlan       Duplex  Speed Type Gi0/1     this is
>>> int 1      connected    1          a-full a-1000
>> 10/100/1000BaseTX
>>> Gi0/2                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/3                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/4                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/5                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/6                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/7                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/8                        connected    1          a-full a-1000
>> 10/100/1000BaseTX
>>> Switch#conf t ^ % Invalid input detected at '^' marker.
>>> 
>>> Switch#enable Password: % Error in authentication.
>>> 
>>> Switch#enable Password: Switch#conf t Enter configuration commands, one per line.  End with
>>> CNTL/Z. Switch(config)#do sho interface status
>>> 
>>> Port      Name               Status       Vlan       Duplex  Speed Type Gi0/1     this is
>>> int 1      connected    1          a-full a-1000
>> 10/100/1000BaseTX
>>> Gi0/2                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/3                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/4                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/5                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/6                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/7                        notconnect   1            auto   auto
>> 10/100/1000BaseTX
>>> Gi0/8                        connected    1          a-full a-1000
>> 10/100/1000BaseTX
>>> Switch(config)#
>> 
>> 
>> If a command isn't being logged in the accounting logs it's because the router never sent it
>> to the tacacs server to be logged; if the router does send it then tac_plus will log it. You
>> can verify this by enabling accounting debugging, check the tac_plus man page for the -d
>> option
>> 
>> Examine closely your AAA settings on the router to see how accounting is set up there.
>> 
>> -- Alan McKinnon alan.mckinnon at gmail.com
>> 
>> _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net 
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>> 
> 
> 
> E-Mail to and from me, in connection with the transaction of public business, is subject to the
> Wyoming Public Records Act and may be disclosed to third parties. -------------- next part
> -------------- An HTML attachment was scrubbed... URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140414/22c9c36c/attachment.html> 
> _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net 
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 

- -- 
Munroe Sollog
LTS - Network Analyst
x85002
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBAgAGBQJTTBpsAAoJEPbbZiWCKDVC7FsH+wZe+HujqupQrMhh1elrkjYN
p44PRY1flIUw1Hi9htlD3zlgP+okSWCD3ixVzi3maTWaHo80Wvck6syJYmszLgv0
XJc3lRNgphgUMz4Ifaq1HCqTqzsmaAsIORl56SVkngFn83isxYrb2mfNilEW1k+n
G0rYjBPSKidRjcsJzqS3I2/r6P1aHwjsApgDPLl1pfpSgFtjX/xmnNIkx6b7FCam
4haRLE4IHrLvoNtx5rOs3piuHSvBENTeUotsucePcsyhxxJS55jX1aUbD/r6rGz9
5JyW77GIrC2qJbOmVfV7Msh+f9hWF9/t/ui6dC6MvSRkJZY++fHffUw3mGnN/hs=
=JjSo
-----END PGP SIGNATURE-----

More information about the tac_plus mailing list