From vadud3 at gmail.com Fri Apr 7 17:58:51 2017 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 7 Apr 2017 13:58:51 -0400 Subject: [tac_plus] restrict by time of the day Message-ID: Hi Is there a way to restrict access to routers with tacacs config based on time? So not allow someone to make any change to the config during work hours? I will need to apply something like that short from doing some config swap with allow/deny as a cronjob. Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Sat Apr 8 22:22:13 2017 From: john at op-sec.us (John Fraizer) Date: Sat, 08 Apr 2017 22:22:13 +0000 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: Message-ID: That is not supported by tac_plus. On Sat, Apr 8, 2017 at 3:21 PM Asif Iqbal wrote: > I am not using do_auth.py yet. I was wondering if the regex can be used to > logic the time of the day permit will work until then? > > On Sat, Apr 8, 2017 at 4:42 PM, John Fraizer wrote: > > You could modify do_auth.py to do this. > > On Fri, Apr 7, 2017 at 4:15 PM Asif Iqbal wrote: > > Hi > > Is there a way to restrict access to routers with tacacs config based on > time? > > So not allow someone to make any change to the config during work hours? > > I will need to apply something like that short from doing some config swap > with allow/deny as a cronjob. > > Thanks > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20170407/3d926439/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > > -- > -- > John Fraizer > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From john at op-sec.us Sat Apr 8 20:42:42 2017 From: john at op-sec.us (John Fraizer) Date: Sat, 08 Apr 2017 20:42:42 +0000 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: Message-ID: You could modify do_auth.py to do this. On Fri, Apr 7, 2017 at 4:15 PM Asif Iqbal wrote: > Hi > > Is there a way to restrict access to routers with tacacs config based on > time? > > So not allow someone to make any change to the config during work hours? > > I will need to apply something like that short from doing some config swap > with allow/deny as a cronjob. > > Thanks > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20170407/3d926439/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- -- John Fraizer LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Sat Apr 8 22:21:01 2017 From: vadud3 at gmail.com (Asif Iqbal) Date: Sat, 8 Apr 2017 18:21:01 -0400 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: Message-ID: I am not using do_auth.py yet. I was wondering if the regex can be used to logic the time of the day permit will work until then? On Sat, Apr 8, 2017 at 4:42 PM, John Fraizer wrote: > You could modify do_auth.py to do this. > > On Fri, Apr 7, 2017 at 4:15 PM Asif Iqbal wrote: > >> Hi >> >> Is there a way to restrict access to routers with tacacs config based on >> time? >> >> So not allow someone to make any change to the config during work hours? >> >> I will need to apply something like that short from doing some config swap >> with allow/deny as a cronjob. >> >> Thanks >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: > attachments/20170407/3d926439/attachment.html> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > -- > -- > John Fraizer > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Sat Apr 8 22:29:46 2017 From: vadud3 at gmail.com (Asif Iqbal) Date: Sat, 8 Apr 2017 18:29:46 -0400 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: Message-ID: I meant like below per tac_plus.conf man page cmd-match Specify a command argument match. In the regex may be some expression that become NUL based on timestamp? I do not have any example. Thanks for your help! On Sat, Apr 8, 2017 at 6:22 PM, John Fraizer wrote: > That is not supported by tac_plus. > > On Sat, Apr 8, 2017 at 3:21 PM Asif Iqbal wrote: > >> I am not using do_auth.py yet. I was wondering if the regex can be used >> to logic the time of the day permit will work until then? >> >> On Sat, Apr 8, 2017 at 4:42 PM, John Fraizer wrote: >> >> You could modify do_auth.py to do this. >> >> On Fri, Apr 7, 2017 at 4:15 PM Asif Iqbal wrote: >> >> Hi >> >> Is there a way to restrict access to routers with tacacs config based on >> time? >> >> So not allow someone to make any change to the config during work hours? >> >> I will need to apply something like that short from doing some config swap >> with allow/deny as a cronjob. >> >> Thanks >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: > attachments/20170407/3d926439/attachment.html> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> >> -- >> -- >> John Fraizer >> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ >> >> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> -- > -- > John Fraizer > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Apr 10 17:38:12 2017 From: heas at shrubbery.net (heasley) Date: Mon, 10 Apr 2017 17:38:12 +0000 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: Message-ID: <20170410173811.GI9265@shrubbery.net> Sat, Apr 08, 2017 at 06:29:46PM -0400, Asif Iqbal: > I meant like below per tac_plus.conf man page > > cmd-match > Specify a command argument match. > > > > > In the regex may be some expression that become NUL based on timestamp? I > do not have any example. the regex does not match a timestamp; there is in fact no timestamp involved at all. You can use do_auth.py or enforce the ToD via PAM. > Thanks for your help! > > > > On Sat, Apr 8, 2017 at 6:22 PM, John Fraizer wrote: > > > That is not supported by tac_plus. > > > > On Sat, Apr 8, 2017 at 3:21 PM Asif Iqbal wrote: > > > >> I am not using do_auth.py yet. I was wondering if the regex can be used > >> to logic the time of the day permit will work until then? > >> > >> On Sat, Apr 8, 2017 at 4:42 PM, John Fraizer wrote: > >> > >> You could modify do_auth.py to do this. > >> > >> On Fri, Apr 7, 2017 at 4:15 PM Asif Iqbal wrote: > >> > >> Hi > >> > >> Is there a way to restrict access to routers with tacacs config based on > >> time? > >> > >> So not allow someone to make any change to the config during work hours? > >> > >> I will need to apply something like that short from doing some config swap > >> with allow/deny as a cronjob. > >> > >> Thanks > >> > >> -- > >> Asif Iqbal > >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > >> A: Because it messes up the order in which people normally read text. > >> Q: Why is top-posting such a bad thing? > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> URL: >> attachments/20170407/3d926439/attachment.html> > >> _______________________________________________ > >> tac_plus mailing list > >> tac_plus at shrubbery.net > >> http://www.shrubbery.net/mailman/listinfo/tac_plus > >> > >> -- > >> -- > >> John Fraizer > >> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > >> > >> > >> > >> > >> > >> -- > >> Asif Iqbal > >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > >> A: Because it messes up the order in which people normally read text. > >> Q: Why is top-posting such a bad thing? > >> > >> -- > > -- > > John Fraizer > > LinkedIn profile: http://www.linkedin.com/in/johnfraizer/ > > > > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From vadud3 at gmail.com Mon Apr 10 17:43:17 2017 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 10 Apr 2017 13:43:17 -0400 Subject: [tac_plus] restrict by time of the day In-Reply-To: <20170410173811.GI9265@shrubbery.net> References: <20170410173811.GI9265@shrubbery.net> Message-ID: On Mon, Apr 10, 2017 at 1:38 PM, heasley wrote: > Sat, Apr 08, 2017 at 06:29:46PM -0400, Asif Iqbal: > > I meant like below per tac_plus.conf man page > > > > cmd-match > > Specify a command argument match. > > > > > > > > > > In the regex may be some expression that become NUL based on timestamp? I > > do not have any example. > > the regex does not match a timestamp; there is in fact no timestamp > involved at all. > > You can use do_auth.py or enforce the ToD via PAM. > I will take a look if it can provide option to allow/deny certain cmd. Thanks > [..] -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon Apr 10 20:14:22 2017 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 10 Apr 2017 14:14:22 -0600 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: <20170410173811.GI9265@shrubbery.net> Message-ID: I've considered added it to do_auth before, but this is the first time anybody expressed interest. On Mon, Apr 10, 2017 at 11:43 AM, Asif Iqbal wrote: > On Mon, Apr 10, 2017 at 1:38 PM, heasley wrote: > > > Sat, Apr 08, 2017 at 06:29:46PM -0400, Asif Iqbal: > > > I meant like below per tac_plus.conf man page > > > > > > cmd-match > > > Specify a command argument match. > > > > > > > > > > > > > > > In the regex may be some expression that become NUL based on > timestamp? I > > > do not have any example. > > > > the regex does not match a timestamp; there is in fact no timestamp > > involved at all. > > > > You can use do_auth.py or enforce the ToD via PAM. > > > > I will take a look if it can provide option to allow/deny certain cmd. > > Thanks > > > [..] > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20170410/31fb6bb1/attachment.html> > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Mon Apr 10 21:00:09 2017 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 10 Apr 2017 17:00:09 -0400 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: <20170410173811.GI9265@shrubbery.net> Message-ID: On Mon, Apr 10, 2017 at 4:14 PM, Daniel Schmidt wrote: > I've considered added it to do_auth before, but this is the first time > anybody expressed interest. > We have a requirement to deny any config change for certain group during trading hours > > On Mon, Apr 10, 2017 at 11:43 AM, Asif Iqbal wrote: > >> On Mon, Apr 10, 2017 at 1:38 PM, heasley wrote: >> >> > Sat, Apr 08, 2017 at 06:29:46PM -0400, Asif Iqbal: >> > > I meant like below per tac_plus.conf man page >> > > >> > > cmd-match >> > > Specify a command argument match. >> > > >> > > >> > > >> > > >> > > In the regex may be some expression that become NUL based on >> timestamp? I >> > > do not have any example. >> > >> > the regex does not match a timestamp; there is in fact no timestamp >> > involved at all. >> > >> > You can use do_auth.py or enforce the ToD via PAM. >> > >> >> I will take a look if it can provide option to allow/deny certain cmd. >> >> Thanks >> >> > [..] >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: > 20170410/31fb6bb1/attachment.html> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Mon Apr 10 22:03:09 2017 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 11 Apr 2017 00:03:09 +0200 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: <20170410173811.GI9265@shrubbery.net> Message-ID: <328920f7-330f-2224-459a-9f249210cf8b@gmail.com> On 10/04/2017 23:00, Asif Iqbal wrote: > On Mon, Apr 10, 2017 at 4:14 PM, Daniel Schmidt > wrote: > >> I've considered added it to do_auth before, but this is the first time >> anybody expressed interest. >> > > > We have a requirement to deny any config change for certain group during > trading hours I haven't looked at do_auth.py for ages, but the idea is not too hard if you have elementary python coding knowledge[1] Python support for time and day functions is extensive and high-quality [1] If not, now is an excellent time to google "python the hard way" and work through the exercises. In many ways python is the new perl and almost required knowledge for sysadmins just like proficiency in writing reasonable bash -- Alan McKinnon alan.mckinnon at gmail.com From Aaron.Wasserott at viawest.com Mon Apr 10 21:36:23 2017 From: Aaron.Wasserott at viawest.com (Aaron Wasserott) Date: Mon, 10 Apr 2017 21:36:23 +0000 Subject: [tac_plus] restrict by time of the day In-Reply-To: References: <20170410173811.GI9265@shrubbery.net> Message-ID: Many firewall vendors support schedules in their firewall rules. That might be an option, if you capture their traffic separately from everyone else. -----Original Message----- From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Asif Iqbal Sent: Monday, April 10, 2017 3:00 PM To: Daniel Schmidt Cc: tac_plus at shrubbery.net Subject: Re: [tac_plus] restrict by time of the day On Mon, Apr 10, 2017 at 4:14 PM, Daniel Schmidt wrote: > I've considered added it to do_auth before, but this is the first time > anybody expressed interest. > We have a requirement to deny any config change for certain group during trading hours > > On Mon, Apr 10, 2017 at 11:43 AM, Asif Iqbal wrote: > >> On Mon, Apr 10, 2017 at 1:38 PM, heasley wrote: >> >> > Sat, Apr 08, 2017 at 06:29:46PM -0400, Asif Iqbal: >> > > I meant like below per tac_plus.conf man page >> > > >> > > cmd-match >> > > Specify a command argument match. >> > > >> > > >> > > >> > > >> > > In the regex may be some expression that become NUL based on >> timestamp? I >> > > do not have any example. >> > >> > the regex does not match a timestamp; there is in fact no timestamp >> > involved at all. >> > >> > You can use do_auth.py or enforce the ToD via PAM. >> > >> >> I will take a look if it can provide option to allow/deny certain cmd. >> >> Thanks >> >> > [..] >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -------------- next part -------------- An HTML attachment was >> scrubbed... >> URL: > 20170410/31fb6bb1/attachment.html> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > > > E-Mail to and from me, in connection with the transaction of public > business, is subject to the Wyoming Public Records Act and may be > disclosed to third parties. > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo/tac_plus This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.