[tac_plus] logging all commands run

Alan McKinnon alan.mckinnon at gmail.com
Mon Apr 14 19:29:12 UTC 2014 

The problem with the priv-lvl approach is that it doesn't scale very
well. For 1 or 2 or 3 network devices it's fine, especially when you
consider that tac_plus command auth involves regular expressions; you
avoid that using priv-lvls on the router.

However, it quickly becomes cumbersome. You have to work out exactly
what you want each level to have, and make sure all of them have the
identical config. Without some kind of automated config-push system this
quickly gets out of hand. Double so if each user gets a local account on
the router.

With tacacs auth, you do that heavy lifting once in one place. Yes, you
do have think it through more carefully as you must apply regexes to
strings to do your allow/deny (tac_plus being clueless as to what
commands mean). Using a default-deny/explicit permit model you can keep
yourself safe and your techs away from danger.

Which method you use depends in my mind on how big and complex your
network is, that's something only you can really decide.


On 14/04/2014 19:27, Munroe Sollog wrote:
> I think I figured it out.  I had:
> 
> aaa accounting commands 2 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> 
> but when I added:
> aaa accounting commands 1 default start-stop group tacacs+
> 
> all of the commands I noticed weren't being logged started showing up.
> 
> With regard to your concern about custom priv levels, it was something I went back and forth on.
> My current rationale is, I want the tac_config simple without having to enumerate dozens of
> commands and their variants.  For example, I wanted my lowest level techs to be able to run 'show
> logging' which by default is a priv-15 command.  When logged in at priv-1, even if I explicitly
> allowed that command the switch wouldn't recognize it.  That being the case, I would have to give
> everyone priv-lvl 15 access and be extra careful to explicitly allow only the commands I want them
> to run.  That seems like a lot more work than moving 'show logging' down to a lower privilege
> level and keeping the techs away from priv-lvl 15.
> 
> But that is just my current rationale, if there is a better idea, I'm not married to it.
> 
> - Munroe
> 
> On 04/14/2014 01:16 PM, Daniel Schmidt wrote:
>> Hint: aaa accounting commands ....
> 
>> Not sure why you are using cutom priv levels rather than authorization
> 
> 
>> On Mon, Apr 14, 2014 at 8:55 AM, Alan McKinnon <alan.mckinnon at gmail.com>wrote:
> 
>>> On 14/04/2014 16:38, Munroe Sollog wrote:
>>>> I am using accounting.  The behavior though is a bit confusing to me.
>>> For example, the user
>>>> 'luser' has the following stanza in the tac_plus.conf:
>>>>
>>>> user = luser { default service = permit login = file /usr/local/etc/tac_passwd_file service
>>>> = exec { priv-lvl = 2 } cmd = show { permit .* } }
>>>>
>>>> The following is an excerpt from the accounting log as well as the
>>> actual switch session.  As you
>>>> can see the first time I try 'conf t' nothing is logged, when I am still
>>> priv-lvl 2 and run 'show
>>>> interface status' nothing is logged.  However, after I 'enable' (typoed
>>> the password the first
>>>> time) and then run a 'do show interface status' then it is logged.  I'm
>>> wondering why isn't my
>>>> 'show interface status' logged the first time.
>>>>
>>>>
>>>> ====tacacs accounting log====
>>>>
>>>> Apr 14 10:30:46       192.168.1.126   luser   tty2    192.168.1.76
>>> start   task_id=334     timezone=UTC
>>>> service=shell start_time=1397485846 Apr 14 10:31:01       192.168.1.126   luser   tty2
>>>> 192.168.1.76
>>> stop    task_id=334     timezone=UTC
>>>> service=shell start_time=1397485861   priv-lvl=0      cmd=enable <cr> Apr 14 10:31:07
>>>> 192.168.1.126   luser   tty2    192.168.1.76
>>> stop    task_id=335     timezone=UTC
>>>> service=shell start_time=1397485867   priv-lvl=0      cmd=enable <cr> Apr 14 10:31:12
>>>> 192.168.1.126   luser   tty2    192.168.1.76
>>> stop    task_id=336     timezone=UTC
>>>> service=shell start_time=1397485872   priv-lvl=15     cmd=configure
>>> terminal <cr>
>>>> Apr 14 10:31:16       192.168.1.126   luser   tty2    192.168.1.76
>>> stop    task_id=337     timezone=UTC
>>>> service=shell start_time=1397485876   priv-lvl=15     cmd=do sho
>>> interface status <cr>
>>>>
>>>>
>>>>
>>>>
>>>> =======switch session===== $ ssh luser at 192.168.1.126 Password:
>>>>
>>>> Switch#show interface status
>>>>
>>>> Port      Name               Status       Vlan       Duplex  Speed Type Gi0/1     this is
>>>> int 1      connected    1          a-full a-1000
>>> 10/100/1000BaseTX
>>>> Gi0/2                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/3                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/4                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/5                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/6                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/7                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/8                        connected    1          a-full a-1000
>>> 10/100/1000BaseTX
>>>> Switch#conf t ^ % Invalid input detected at '^' marker.
>>>>
>>>> Switch#enable Password: % Error in authentication.
>>>>
>>>> Switch#enable Password: Switch#conf t Enter configuration commands, one per line.  End with
>>>> CNTL/Z. Switch(config)#do sho interface status
>>>>
>>>> Port      Name               Status       Vlan       Duplex  Speed Type Gi0/1     this is
>>>> int 1      connected    1          a-full a-1000
>>> 10/100/1000BaseTX
>>>> Gi0/2                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/3                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/4                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/5                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/6                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/7                        notconnect   1            auto   auto
>>> 10/100/1000BaseTX
>>>> Gi0/8                        connected    1          a-full a-1000
>>> 10/100/1000BaseTX
>>>> Switch(config)#
>>>
>>>
>>> If a command isn't being logged in the accounting logs it's because the router never sent it
>>> to the tacacs server to be logged; if the router does send it then tac_plus will log it. You
>>> can verify this by enabling accounting debugging, check the tac_plus man page for the -d
>>> option
>>>
>>> Examine closely your AAA settings on the router to see how accounting is set up there.
>>>
>>> -- Alan McKinnon alan.mckinnon at gmail.com
>>>
>>> _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net
>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>
> 
> 
>> E-Mail to and from me, in connection with the transaction of public business, is subject to the
>> Wyoming Public Records Act and may be disclosed to third parties. -------------- next part
>> -------------- An HTML attachment was scrubbed... URL:
>> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140414/22c9c36c/attachment.html>
>> _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 
> 

-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list