Accounting

These scenarios show accounting feature when secure mode is enabled. All logs are stored in file: running://log/user/audit_file/audit_file

File Logs

Description

Show different logs stored in audit file

Scenario

Step 1: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

Secure mode started
Show output
2024-10-07 10:37:33.821326 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="131691" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-10-07 10:37:33.865690 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-10-07 10:37:33.865714 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="131978" x-info="https://www.rsyslog.com"] start
2024-10-07 10:37:33.866479 daemon-info , modulelauncher[131974]:  Secure mode started
2024-10-07 10:37:35.162774 auth-notice , OSDxCLI:  User 'admin' has logged in.

Step 2: Run command show running at DUT0 and expect this output:

Show output
# Teldat OSDx VM version v4.2.1.0
# Mon 07 Oct 2024 10:37:35 +00:00
# Warning: Configuration has not been saved
set system login user admin authentication encrypted-password '$6$INnI4e88s0Xq1v9h$X9YAbVQddt5qtXy2gleHTaZM/t2hKIQ.Ryu9QGT8eB00xPXXVvNOdAmbOT4arO8eK.ZwOuGrVfSMxzAkUgFfJ.'
set system security medium

Step 3: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' executed a new command: 'show running'
Show output
2024-10-07 10:37:33.821326 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="131691" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-10-07 10:37:33.865690 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-10-07 10:37:33.865714 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="131978" x-info="https://www.rsyslog.com"] start
2024-10-07 10:37:33.866479 daemon-info , modulelauncher[131974]:  Secure mode started
2024-10-07 10:37:35.162774 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-10-07 10:37:35.275727 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-10-07 10:37:35.323892 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'show running'.

Step 4: Set the following configuration in DUT0:

set system cli configuration logging cli info
set system login user admin authentication encrypted-password '$6$INnI4e88s0Xq1v9h$X9YAbVQddt5qtXy2gleHTaZM/t2hKIQ.Ryu9QGT8eB00xPXXVvNOdAmbOT4arO8eK.ZwOuGrVfSMxzAkUgFfJ.'
set system security medium

Step 5: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' committed the configuration
Show output
2024-10-07 10:37:33.821326 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="131691" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-10-07 10:37:33.865690 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-10-07 10:37:33.865714 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="131978" x-info="https://www.rsyslog.com"] start
2024-10-07 10:37:33.866479 daemon-info , modulelauncher[131974]:  Secure mode started
2024-10-07 10:37:35.162774 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-10-07 10:37:35.275727 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-10-07 10:37:35.323892 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'show running'.
2024-10-07 10:37:35.474910 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-10-07 10:37:35.594718 auth-notice , OSDxCLI:  User 'admin' entered the configuration menu.
2024-10-07 10:37:35.654501 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system cli configuration logging cli info'.
2024-10-07 10:37:35.724215 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'show working'.
2024-10-07 10:37:35.786888 user-warning , OSDxCLI:  Signal 10 received
2024-10-07 10:37:35.789056 auth-notice , OSDxCLI:  User 'admin' committed the configuration.
2024-10-07 10:37:35.853565 auth-notice , OSDxCLI:  User 'admin' left the configuration menu.

Hidden Passwords

Description

Plain passwords are not displayed

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server tacacs TAC1 address 10.215.168.1
set system aaa server tacacs TAC1 encrypted-key U2FsdGVkX18HJMq2JrDZKGy8eWq3zzg9c8J1qlwsiGU=
set system login user admin authentication encrypted-password '$6$NLlk4/D0fmeLS4sI$TEp1GkcK4990.Tj7Y1e0Qu4rE6VdozOiXdZfGX3L6qIlqlsYiXsjWIUHsQ9nYJ2bXqo5WuvIZ0FT4EpArhv74/'
set system security medium

Step 2: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 key ******'
Show output
2024-10-07 10:37:42.720496 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="132108" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-10-07 10:37:42.755890 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-10-07 10:37:42.756102 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="132401" x-info="https://www.rsyslog.com"] start
2024-10-07 10:37:42.756662 daemon-info , modulelauncher[132397]:  Secure mode started
2024-10-07 10:37:44.055868 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-10-07 10:37:44.174559 auth-notice , OSDxCLI:  User 'admin' entered the configuration menu.
2024-10-07 10:37:44.242852 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
2024-10-07 10:37:44.299926 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 key ******'.
2024-10-07 10:37:44.398049 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 address 10.215.168.1'.
2024-10-07 10:37:44.466113 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'show working'.
2024-10-07 10:37:44.586072 auth-notice , OSDxCLI:  User 'admin' committed the configuration.
2024-10-07 10:37:44.607696 auth-notice , OSDxCLI:  User 'admin' left the configuration menu.

Audit file permissions

Description

Non admin user is allowed to open audit file

Scenario

Step 1: Set the following configuration in DUT0:

set system login role cfg level 10
set system login user admin authentication encrypted-password '$6$RrZLd9URlW/NP68d$sY0fqCOLiTQMHVEmmvcli7E71s2qj.dMcugnzLtDfFynN9jZZCkyNdf4ztGPxAnDEIbbxCbOpKoVZMyKxsCkA0'
set system login user test authentication encrypted-password '$6$YhZZbMJ230aKZTkB$6zO4jHpq/m7Isb6XBAT6VfUMOC2WdfUdZogV3TtCIEH0JEF0QbMYHwtdP8oj1Sez.uc2pQy1Mr6fSI7B4Cuq71'
set system login user test role cfg
set system security medium

Step 2: Login as test with password tEst!2qqqqqq

Step 3: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

Permission denied
Show output
hexdump: /opt/vyatta/etc/config/log/user/audit_file/audit_file: Permission denied
hexdump: all input file arguments failed