Accounting
These scenarios show accounting feature when secure mode is enabled. All logs are stored in file: running://log/user/audit_file/audit_file
File Logs
Description
Show different logs stored in audit file
Scenario
Step 1: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:
Secure mode startedShow output
2025-02-03 15:09:31.560063 syslog-info , rsyslogd: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="19939" x-info="https://www.rsyslog.com"] exiting on signal 15. 2025-02-03 15:09:31.577670 syslog-info , rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2302.0] 2025-02-03 15:09:31.577822 syslog-info , rsyslogd: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="20232" x-info="https://www.rsyslog.com"] start 2025-02-03 15:09:31.578610 daemon-info , modulelauncher[20228]: Secure mode started 2025-02-03 15:09:33.070784 auth-notice , OSDxCLI: User 'admin' has logged in.
Step 2: Run command show running at DUT0 and expect this output:
Show output
# Teldat OSDx VM version v4.2.1.3 # Mon 03 Feb 2025 15:09:33 +00:00 # Warning: Configuration has not been saved set system login user admin authentication encrypted-password '$6$45KRumJ9KvFuB0LX$URYVKd6adMPg1Z42CEXEIxVSyW3gBGkY75Vd0ZXkVJ50iPA2U1GE7oaIFRQgCgru4HSRx8bnQzQVIvjx6bahj.' set system security medium
Step 3: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:
User 'admin' executed a new command: 'show running'Show output
2025-02-03 15:09:31.560063 syslog-info , rsyslogd: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="19939" x-info="https://www.rsyslog.com"] exiting on signal 15. 2025-02-03 15:09:31.577670 syslog-info , rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2302.0] 2025-02-03 15:09:31.577822 syslog-info , rsyslogd: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="20232" x-info="https://www.rsyslog.com"] start 2025-02-03 15:09:31.578610 daemon-info , modulelauncher[20228]: Secure mode started 2025-02-03 15:09:33.070784 auth-notice , OSDxCLI: User 'admin' has logged in. 2025-02-03 15:09:33.238977 auth-notice , OSDxCLI: User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'. 2025-02-03 15:09:33.321135 auth-notice , OSDxCLI: User 'admin' executed a new command: 'show running'.
Step 4: Set the following configuration in DUT0:
set system cli configuration logging cli info set system login user admin authentication encrypted-password '$6$45KRumJ9KvFuB0LX$URYVKd6adMPg1Z42CEXEIxVSyW3gBGkY75Vd0ZXkVJ50iPA2U1GE7oaIFRQgCgru4HSRx8bnQzQVIvjx6bahj.' set system security medium
Step 5: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:
User 'admin' committed the configurationShow output
2025-02-03 15:09:31.560063 syslog-info , rsyslogd: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="19939" x-info="https://www.rsyslog.com"] exiting on signal 15. 2025-02-03 15:09:31.577670 syslog-info , rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2302.0] 2025-02-03 15:09:31.577822 syslog-info , rsyslogd: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="20232" x-info="https://www.rsyslog.com"] start 2025-02-03 15:09:31.578610 daemon-info , modulelauncher[20228]: Secure mode started 2025-02-03 15:09:33.070784 auth-notice , OSDxCLI: User 'admin' has logged in. 2025-02-03 15:09:33.238977 auth-notice , OSDxCLI: User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'. 2025-02-03 15:09:33.321135 auth-notice , OSDxCLI: User 'admin' executed a new command: 'show running'. 2025-02-03 15:09:33.519283 auth-notice , OSDxCLI: User 'admin' executed a new command: 'file show running://log/user/audit_file/audit_file'. 2025-02-03 15:09:33.677174 auth-notice , OSDxCLI: User 'admin' entered the configuration menu. 2025-02-03 15:09:33.782254 auth-notice , OSDxCLI: User 'admin' added a new cfg line: 'set system cli configuration logging cli info'. 2025-02-03 15:09:33.903472 auth-notice , OSDxCLI: User 'admin' added a new cfg line: 'show working'. 2025-02-03 15:09:34.018273 user-warning , OSDxCLI: Signal 10 received 2025-02-03 15:09:34.021897 auth-notice , OSDxCLI: User 'admin' committed the configuration. 2025-02-03 15:09:34.103024 auth-notice , OSDxCLI: User 'admin' left the configuration menu.
Audit file permissions
Description
Non admin user is allowed to open audit file
Scenario
Step 1: Set the following configuration in DUT0:
set system login role cfg level 10 set system login user admin authentication encrypted-password '$6$aSlFOMKItYpILf7.$AEOMVzRP1dcB8Rszt5V2j0h57urycUM72iqSjzzB.PuIgl.bXyL.L9IS7ljPbqQ1ai3N8N9jUQsemer6eocYV1' set system login user test authentication encrypted-password '$6$dM.gzOHM1m2rUBE7$MjsqThqZGqB/D3kdXW.xvc3ZaOMKQIiUlNAxNxLQXEvfhAy.fiPn0DiXSgOSe/fsDq62JrndaKaEreo/YDEJp/' set system login user test role cfg set system security medium
Step 2: Login as test with password tEst!2qqqqqq
Step 3: Run command file show running://log/user/audit_file/audit_file at DUT0 and check if output contains the following tokens:
Permission deniedShow output
hexdump: /opt/vyatta/etc/config/log/user/audit_file/audit_file: Permission denied hexdump: all input file arguments failed