Accounting

These scenarios show accounting feature when secure mode is enabled. All logs are stored in file: running://log/user/audit_file/audit_file

File Logs

Description

Show different logs stored in audit file

Scenario

Step 1: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

Secure mode started

Show output

2024-12-03 14:55:22.721222 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="314432" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-12-03 14:55:22.752134 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-12-03 14:55:22.752202 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="314567" x-info="https://www.rsyslog.com"] start
2024-12-03 14:55:22.752655 daemon-info , modulelauncher[314563]:  Secure mode started
2024-12-03 14:55:24.267673 auth-notice , OSDxCLI:  User 'admin' has logged in.

Step 2: Run command show running at DUT0 and expect this output:

Show output

# Teldat OSDx VM version v4.2.1.2
# Tue 03 Dec 2024 14:55:24 +00:00
# Warning: Configuration has not been saved
set system login user admin authentication encrypted-password '$6$OJ.Z5CLDH68Cv7Du$Sh.wZMXDlOP7aOG9A0bZ8LX2XQqBl3V7mddmwyuvW/jzpYNROllDvX4J0FixQNd/OQCs/2RRSrxUWw/BHxq40/'
set system security medium

Step 3: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' executed a new command: 'show running'

Show output

2024-12-03 14:55:22.721222 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="314432" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-12-03 14:55:22.752134 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-12-03 14:55:22.752202 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="314567" x-info="https://www.rsyslog.com"] start
2024-12-03 14:55:22.752655 daemon-info , modulelauncher[314563]:  Secure mode started
2024-12-03 14:55:24.267673 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-12-03 14:55:24.386628 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-12-03 14:55:24.434740 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'show running'.

Step 4: Set the following configuration in DUT0:

set system cli configuration logging cli info
set system login user admin authentication encrypted-password '$6$OJ.Z5CLDH68Cv7Du$Sh.wZMXDlOP7aOG9A0bZ8LX2XQqBl3V7mddmwyuvW/jzpYNROllDvX4J0FixQNd/OQCs/2RRSrxUWw/BHxq40/'
set system security medium

Step 5: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' committed the configuration

Show output

2024-12-03 14:55:22.721222 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="314432" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-12-03 14:55:22.752134 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-12-03 14:55:22.752202 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="314567" x-info="https://www.rsyslog.com"] start
2024-12-03 14:55:22.752655 daemon-info , modulelauncher[314563]:  Secure mode started
2024-12-03 14:55:24.267673 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-12-03 14:55:24.386628 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-12-03 14:55:24.434740 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'show running'.
2024-12-03 14:55:24.590396 auth-notice , OSDxCLI:  User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'.
2024-12-03 14:55:24.706297 auth-notice , OSDxCLI:  User 'admin' entered the configuration menu.
2024-12-03 14:55:24.764611 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system cli configuration logging cli info'.
2024-12-03 14:55:24.831412 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'show working'.
2024-12-03 14:55:24.892935 user-warning , OSDxCLI:  Signal 10 received
2024-12-03 14:55:24.894995 auth-notice , OSDxCLI:  User 'admin' committed the configuration.
2024-12-03 14:55:24.964860 auth-notice , OSDxCLI:  User 'admin' left the configuration menu.

---

Hidden Passwords

Description

Plain passwords are not displayed

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.64/24
set system aaa server tacacs TAC1 address 10.215.168.1
set system aaa server tacacs TAC1 encrypted-key U2FsdGVkX19rDOe4nzuLuW2r+cIpZg2ZeP/VKjH022U=
set system login user admin authentication encrypted-password '$6$4095i/.twI5qHNd3$EV.DgK2JmLYx6pj4MYO5k33p.pyCGhZ9EED8TZiuyh32N5EnBZ1Iemknej0j26E6FDPyjv9PZDzEU3kDdWo4p0'
set system security medium

Step 2: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 key ******'

Show output

2024-12-03 14:55:32.566535 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="314697" x-info="https://www.rsyslog.com"] exiting on signal 15.
2024-12-03 14:55:32.592017 daemon-info , modulelauncher[314944]:  Secure mode started
2024-12-03 14:55:32.591501 syslog-info , rsyslogd:  imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
2024-12-03 14:55:32.591525 syslog-info , rsyslogd:  [origin software="rsyslogd" swVersion="8.2302.0" x-pid="314948" x-info="https://www.rsyslog.com"] start
2024-12-03 14:55:34.150107 auth-notice , OSDxCLI:  User 'admin' has logged in.
2024-12-03 14:55:34.288864 auth-notice , OSDxCLI:  User 'admin' entered the configuration menu.
2024-12-03 14:55:34.359743 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
2024-12-03 14:55:34.461359 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 key ******'.
2024-12-03 14:55:34.513850 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'set system aaa server tacacs TAC1 address 10.215.168.1'.
2024-12-03 14:55:34.624005 auth-notice , OSDxCLI:  User 'admin' added a new cfg line: 'show working'.
2024-12-03 14:55:34.818172 auth-notice , OSDxCLI:  User 'admin' committed the configuration.
2024-12-03 14:55:34.834788 auth-notice , OSDxCLI:  User 'admin' left the configuration menu.

---

Audit file permissions

Description

Non admin user is allowed to open audit file

Scenario

Step 1: Set the following configuration in DUT0:

set system login role cfg level 10
set system login user admin authentication encrypted-password '$6$XZnOiIluXKBC/Wso$w1TLiJYT8ouqa5wqgzplmdJnB423q.j0ASAECT8VnQIWi3cnqLwr9CE.jvk/XunfMn5On3XN/S27lGhUC0tnJ.'
set system login user test authentication encrypted-password '$6$yVlKYPFi/6HVutgC$JAVpBi50WX6lsPG3mzRRuoPScXcMV4tJL0RRtitVm4DX3qagYUOkvfy2Vrur3pY8MPFerj8dxH2v/HamP9lJf/'
set system login user test role cfg
set system security medium

Step 2: Login as test with password tEst!2qqqqqq

Step 3: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:

Permission denied

Show output

hexdump: /opt/vyatta/etc/config/log/user/audit_file/audit_file: Permission denied
hexdump: all input file arguments failed

---