Accounting

These scenarios show accounting feature when secure mode is enabled. All logs are stored in file: running://log/user/audit_file/audit_file

File Logs

Description

Show different logs stored in audit file

Scenario

Step 1: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

Secure mode started
Show output
2024-10-30 13:09:31.783076 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="296530" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-10-30 13:09:31.806313 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-10-30 13:09:31.806376 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="330611" x-info="https://www.rsyslog.com"] start
2024-10-30 13:09:31.807073 daemon-info , modulelauncher[330607]:  Secure mode started
2024-10-30 13:09:33.207396 auth-notice , OSDxCLI:  User 'admin' has logged in.

Step 2: Run command show running at DUT0 and expect this output:

Show output
# Teldat OSDx VM version v4.2.1.1
# Wed 30 Oct 2024 13:09:33 +00:00
# Warning: Configuration has not been saved
set system login user admin authentication encrypted-password '$6$SR7qCBxwG/NqsPYt$cljPqTqffhPT90RJhLwy9fU8mYRsz62Moq.upMN22S9edZVtHbEDb6BxCZZ71vGUzLgv8ai3RjEdWOWDxl8q20'
set system security medium

Step 3: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' executed a new command: 'show running'
Show output
2024-10-30 13:09:31.783076 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="296530" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-10-30 13:09:31.806313 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-10-30 13:09:31.806376 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="330611" x-info="https://www.rsyslog.com"] start
2024-10-30 13:09:31.807073 daemon-info , modulelauncher[330607]:  Secure mode started
2024-10-30 13:09:33.207396 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-10-30 13:09:33.328436 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-10-30 13:09:33.399893 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'show running'.

Step 4: Set the following configuration in DUT0:

set system cli configuration logging cli info
set system login user admin authentication encrypted-password '$6$SR7qCBxwG/NqsPYt$cljPqTqffhPT90RJhLwy9fU8mYRsz62Moq.upMN22S9edZVtHbEDb6BxCZZ71vGUzLgv8ai3RjEdWOWDxl8q20'
set system security medium

Step 5: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' committed the configuration
Show output
2024-10-30 13:09:31.783076 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="296530" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-10-30 13:09:31.806313 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-10-30 13:09:31.806376 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="330611" x-info="https://www.rsyslog.com"] start
2024-10-30 13:09:31.807073 daemon-info , modulelauncher[330607]:  Secure mode started
2024-10-30 13:09:33.207396 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-10-30 13:09:33.328436 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-10-30 13:09:33.399893 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'show running'.
2024-10-30 13:09:33.570509 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-10-30 13:09:33.722095 auth-notice , OSDxCLI:  User 'admin' entered the configuration menu.
2024-10-30 13:09:33.804875 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system cli configuration logging cli info'.
2024-10-30 13:09:33.886494 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'show working'.
2024-10-30 13:09:33.958596 user-warning , OSDxCLI:  Signal 10 received
2024-10-30 13:09:33.960941 auth-notice , OSDxCLI:  User 'admin' committed the configuration.
2024-10-30 13:09:34.032051 auth-notice , OSDxCLI:  User 'admin' left the configuration menu.

Hidden Passwords

Description

Plain passwords are not displayed

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server tacacs TAC1 address 10.215.168.1
set system aaa server tacacs TAC1 encrypted-key U2FsdGVkX1/DKxqSEbsR0rF6QNwfdpsj2pn/UqC2nX4=
set system login user admin authentication encrypted-password '$6$JghCndoX1Gif9ZQK$DUBxiEAHlyR/wSbDigfngilc7JfXcDmEoN89IbFVIsrNnyqoPO3ZTfHwya/BrnHIxdXkCyBL4kI/CVIRfOwe7/'
set system security medium

Step 2: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 key ******'
Show output
2024-10-30 13:09:41.848929 daemon-info , modulelauncher[331031]:  Secure mode started
2024-10-30 13:09:41.815677 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="330742" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-10-30 13:09:41.848694 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-10-30 13:09:41.848728 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="331035" x-info="https://www.rsyslog.com"] start
2024-10-30 13:09:43.180354 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-10-30 13:09:43.305116 auth-notice , OSDxCLI:  User 'admin' entered the configuration menu.
2024-10-30 13:09:43.401572 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
2024-10-30 13:09:43.469587 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 key ******'.
2024-10-30 13:09:43.554053 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 address 10.215.168.1'.
2024-10-30 13:09:43.639899 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'show working'.
2024-10-30 13:09:43.837356 auth-notice , OSDxCLI:  User 'admin' committed the configuration.
2024-10-30 13:09:43.854427 auth-notice , OSDxCLI:  User 'admin' left the configuration menu.

Audit file permissions

Description

Non admin user is allowed to open audit file

Scenario

Step 1: Set the following configuration in DUT0:

set system login role cfg level 10
set system login user admin authentication encrypted-password '$6$mvKBOL3TqXWfyjFh$XOhR6IV2LMS7fz2neWSJMnxugvTHlPZ1S5JtMX79HDqI00PKx7CnwIojqUMyI4GINHC3xPYF8LM5tPHzKOy5m.'
set system login user test authentication encrypted-password '$6$UV6nWjQxtEmc4NwB$tCuG83ITBH0TENI10X4P3B4PGU7rI6cRhjvkE9Nd1NtQGVSyUbxZ6WNwqzMaBwyezYwfJbP5ev6Oqrj0CHuOX1'
set system login user test role cfg
set system security medium

Step 2: Login as test with password tEst!2qqqqqq

Step 3: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

Permission denied
Show output
hexdump: /opt/vyatta/etc/config/log/user/audit_file/audit_file: Permission denied
hexdump: all input file arguments failed