[tac_plus] cmd=connect

John Fraizer john at op-sec.us
Tue Apr 14 16:41:25 UTC 2015 

Provide the entire accounting record rather than a description of it and
we'll be able to help you more.  But, that is not what tac_plus would show
when a user goes into enable.

This is what it shows from an Arista:

Apr 14 16:33:36 10.244.165.35 jfraizer ssh 192.168.56.1 stop task_id=21
service=shell priv-lvl=1 start_time=1429029214 timezone=UTC cmd=enable <cr>

And here is what it shows from a Cisco CSR1000v:

Apr 14 16:34:43 10.244.165.36 jfraizer tty1 192.168.56.1 stop task_id=3
timezone=UTC service=shell priv-lvl=1 cmd=enable <cr>




--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Tue, Apr 14, 2015 at 9:28 AM, Munroe Sollog <mus3 at lehigh.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm using tac_plus as an audit history for all users, and I'm noticing
> that the accounting log is
> logging:
>
> cmd=connect <enable password> <cr>
>
> I believe it is whenever someone types in 'enable' <cr> '<enable password>'
>
> Does this make sense, and if so any advice on how to get tac_plus to not
> save the password in the
> audit log?
>
> for reference:
> $ tac_plus -v
> tac_plus version F4.0.4.27a
> ACLS
> FIONBIO
> LIBWRAP
> LINUX
> LITTLE_ENDIAN
> LOG_DAEMON
> PAM
> NO_PWAGE
> REAPCHILD
> RETSIGTYPE RETSIGTYPE
> SHADOW_PASSWORDS
> SIGTSTP
> SIGTTIN
> SIGTTOU
> SO_REUSEADDR
> STRERROR
> TAC_PLUS_PORT
> UENABLE
> __STDC__
>
>
>
> Thanks.
>
> - --
> Munroe Sollog
> LTS - Network Analyst
> x85002
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQEcBAEBAgAGBQJVLUA5AAoJEPbbZiWCKDVCIcsH/0MMz1sYAQFY4FXMzLUrKa0E
> IYJxEuM7QWkQ6wIfFhdf51xOBuepKytGK3JlWuGZaZMdENgEZj/bD4BNxS+4ukAj
> fR8xuQSy6AooQLYgdcfJYd/g7udhVmrhBhCDCGQz3HCHKfJyp2V4XmCZPfMVy7EA
> 7NMhfbPto7nPEkVtDqrjBShgXohrf0OtMXMbdWxljJ+W7P/+nEc4+vfRz/CSpd1a
> PnHlwYLRaBIo921xB7I3SiPJqUPhI8i8s52HuzcmJacfT5TypQ9pY08X712QUztJ
> zpsFsX2xS3tyWingWKhrqWMtuFpFIWwTeQ7mIOqqd5NTHDhL3DupC1jBOWp2vfA=
> =FXGG
> -----END PGP SIGNATURE-----
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150414/b56f2fb7/attachment.html>

More information about the tac_plus mailing list