Allowing certain commands
Closed this issue · 7 comments
Hi Marc!
Please tell me if it is possible to make a profile in such a config in which all commands are prohibited, except for a few? For example, only commands are allowed: "ping x.x.x.x" and "sh run"
The config is a modified example of "tac_plus-ng.cfg-shadow":
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { port = 49 }
spawn = { instances min = 1 instances max = 1 }
background = no
}
id = tac_plus-ng {
mavis module = external {
setenv SHADOWFILE = "/etc/shadow"
exec = /usr/local/lib/mavis/mavis_tacplus_shadow.pl
}
login backend = mavis chpass
host world {
address = ...
welcome banner = "Welcome!\n\n"
key = secretKey
}
profile fullAccess {
script {
if (service == shell) {
if (cmd == "") set priv-lvl = 15
permit
}
}
}
profile lvl1Access {
script {
if (service == shell) {
if (cmd == "") set priv-lvl = 1
permit
}
}
}
group tacAdmins
group observer
user tacAdmin {
password login = mavis
member = tacAdmins
}
user observer {
password login = mavis
member = observer
}
ruleset {
rule {
script {
if (member == tacAdmins) {profile = fullAccess permit}
if (member == observer) {profile = lvl1Access permit}
}
}
}
}
Hi,
sure, you can limit commands in a profile:
profile roAccess {
script {
if (service == shell) {
# message = "commandline=${cmd]" # uncomment that to see the command line
if (cmd == "") { set priv-lvl = 15 pemit } # permit exec
if (cmd =~ /^ping /) permit
if (cmd = /^show run/ permit
deny
}
}
}
Cheers,
Marc
Great! And how do I fix this? I came across it before when I was editing the config, but I couldn't figure it out
if (cmd =~ /
tac_plus-ng.cfg:40: You're using PCRE syntax, but this binary wasn't compiled with PCRE support.
10893: tac_plus-ng.cfg:40: You're using PCRE syntax, but this binary wasn't compiled with PCRE support.
10893: Detected fatal configuration error. Exiting.
It seems like I fixed an error related to PCRE. Installed additional packages and executed ./configure --with-pcre.
But the way you proposed to limit commands did not work, any commands are executed
Hi,
if PCRE (v2 will be mandatory soon) support is available (and "tac_plus-ng -v" confirms that) it's likely that your router/switch/whatever configuration lacks authorization directives. You're using the appropriate "aaa authorization command" statements (assuming that this is a Cisco device)?
Cheers,
Marc
I use the following Cisco settings (maybe I missed something):
!
tacacs server tpng
address ipv4 x.x.x.x
key secret
!
aaa group server tacacs+ tpnggp
server name tpng
!
aaa authentication login default group tpnggp local
aaa authorization exec default group tpnggp local
!
Hi,
I'd try
aaa authorization commands 15 default group tpnggp if-authenticated
and, eventually,
aaa authorization config-commands
Cheers,
Marc
It looks like it's working!
I'll figure it out a little better tomorrow.
Thank you very much Mark, you helped me a lot!