Re: EEM Script to deny users a particular command to run

Neel Shah · ‎04-12-2013

Hi all, need help in figuring out how when any user runs clear arp-cache, the command doesn't actually execute. Its easy to do it with IOS but with XR I am having trouble coming up with a script. Any ideas? XR doesn't have privilege commands and customer does not want ot use AAA.

Regards,

neel

Joe Clarke · ‎04-12-2013

What version of XR is this? I know 4.3 has a CLI ED, but it isn't the same as IOS. The policy will execute as a new process, so it may not actually skip the execution. If it would work, something like this would do it:

::cisco::eem::event_register_cli pattern "^clear arp-cache"

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

puts "clear arp-cache is not allowed"

exit 0

Neel Shah · ‎04-12-2013

Currently running only 4.2.3. This is basically workaround for a bugfix:) So nothing currently in 4.2.3 i am guessing?

Joe Clarke · ‎04-12-2013

Looks like 4.2 has the same ED support. The same caveat applies, though. It may be asynchronous only, and thus not prevent the command from running.

Neel Shah · ‎04-12-2013

That doesn't seem to work for some reason. The command still executes. here's a snipped:

event manager directory user policy harddisk:

event manager policy arp_tcl.tcl username eem persist-time 3600

aaa authorization eventmanager default local

RP/0/RSP0/CPU0:rasr9k-1y#more harddisk:arp_tcl.tcl

Sat Apr 13 06:19:15.707 UTC

::cisco::eem::event_register_cli pattern "^clear arp-cache location 0/0/CPU0"

#------------------------------------------------------------------

# EEM policy to prevent a command

#

# April 2013

#

#------------------------------------------------------------------

#

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

#

puts "clear arp-cache is not allowed"

exit 0

my arp still clears

-------------------------------------------------------------------------------

0/0/CPU0

-------------------------------------------------------------------------------

Address Age Hardware Addr State Type Interface

172.29.1.1 - 6c9c.ed2d.375a Interface ARPA TenGigE0/0/0/2

172.29.1.2 00:00:02 000d.662d.3540 Dynamic ARPA TenGigE0/0/0/2

RP/0/RSP0/CPU0:rasr9k-1y#

Any other ideas?

Joe Clarke · ‎04-13-2013

Do you see the puts string being output in the logging buffer? If so, then this is what I feared. The CLI ED works asynchronously in XR, and the command cannot be prevented from executing. The alternative in that case would be to use AAA command authorization.

mario.jost · ‎04-11-2024

Just to give an answer after such a long time for any future readers that might come across this thread. You would have to use the synchroneus mode. Just add this:

::cisco::eem::event_register_cli pattern "^clear arp-cache location 0/0/CPU0" sync yes

You can optionally also add the maxrun timer as these events time out after 20s per default.

::cisco::eem::event_register_cli pattern "^clear arp-cache location 0/0/CPU0" sync yes maxrun 10

So if you know your command does not take longer than 3s you can decrease the timeour or if you have huge scripts that do firmware updates you may have to increase this to 600 meaning 10min...