09-14-2010 10:39 PM - edited 03-10-2019 05:24 PM
Hello everyone.
I have a question about accounting on the PIX.
I understand that it old device, however we one. I want to logging any command which was executed during ssh session through accounting feature.
aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Auth
But it logged only amount of traffic pass-thru, not the activities. (Actually it perfectly work on other devices such as modern catalysts)
I have founded the question on this forums but at May 11, 2003 (https://supportforums.cisco.com/message/855167#855167)
They said that this feature does work on PIX.
We use last version IOS PIX Version 8.0(4) (11-AUG-2008)
May be someting has changed since 2003
I need exactly does this feature exist on the PIX or not?
Please, help me find out.
Best Regards,
Denis
09-22-2010 06:07 AM
Hi Denis,
you can try one thing, i guess it should work because according to the document:-
You can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI. If you customize the command privilege level using the privilege command (see the "Assigning Privilege Levels to Commands and Enabling Authorization" section), you can limit which commands the security appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
To enable command accounting, enter the following command:
hostname(config)# aaa accounting command [privilege level] server-tag
Where level is the minimum privilege level and server-tag is the name of the TACACS+ server group that to which the security appliance should send command accounting messages. The TACACS+ server group configuration must already exist. For information about configuring a AAA server group, see the "Identifying AAA Server Groups and Servers" section on page 13-12.
As far as i know the AAA accounting available on PIX 7.x for Managing System Access is Command Accounting.
Please refer following link to configure Command accounting on the device for Administrative access, such as telnet, ssh etc. Here's a sample configuration for PIX 7.2:-
aaa accounting http console mytacgroup
aaa accounting serial console mytacgroup
aaa accounting telnet console mytacgroup
aaa accounting ssh console mytacgroup
aaa accounting enable console mytacgroup
aaa accounting command mytacgroup
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1059882
thanks,
Vinay
09-24-2010 01:29 PM
Hi Denis,
It seems that you are looking to do command accounting for ssh sessions passing through the firewall. If that is the case then accounting information will only include when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.Unfortunately, for such sessions you will not be able to do command accounting.
Please refer to the link given below for more info:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535516
However, it is possible to know the commands (besides show commands) executed by a user logging directly into the firewall by configuring command accounting using the following command:
aaa accounting command
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535253
Hope it helps.
Thanks,
Amitashwa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide