Solved: Help with EEM Script to block certain commands

fabio rocha · ‎02-21-2019

Hi all,

I need to prevent certain actions from being executed on my routers. The router admininistration is shared among dozens of privilege 15 (AAA) users.

So I need to prevent them for example:

- From messing with the logging options

- From clearing the logs or the archive log

- Etc

I found a simple way to do that with EEM applets like those:

event manager applet DISABLE_LOGGING_SYSTEM_CHANGE
event cli pattern "logging [on|console|monitor|buffered]" sync no skip yes

!

event manager applet DISABLE_CLEAR_LOGGING
event cli pattern "clear logging" sync no skip yes

!

event manager applet DISABLE_CLEAR_ARCHIVE
event cli pattern "clear archive log config.*" sync no skip yes

!

event manager applet DISABLE_ARCHIVE_REMOVAL
event cli pattern "no archive" sync no skip yes

!

They work just fine, however I would like to prevent other admins from messing with the applets themselves as well.

How good is an App when someone could simply run:

# conf t

no event manager applet X

To remove my App?

I thought of something like this:

event manager applet LOGGING_SYSTEM_ALWAYS_ON
event cli pattern "no event manager applet [DISABLE_|LOGGING_].*" sync no skip yes
!

Which works and indeed prevent others from removing the applets, but not from messing with the Applet's code.

What I really would like to do is:

event manager applet LOGGING_SYSTEM_ALWAYS_ON
event cli pattern "event manager applet [DISABLE_|LOGGING_].*" sync no skip yes

This way, as I understand, there would be NO WAY of someone messing or disabling the App. Not even myself, which is not what I intend.

Is there a way to restrict a command to all users except some known admins?

I thought of something along those lines:

event manager applet NO_CLEAR_ARCHIVE
event cli pattern "clear archive log.*" sync yes occurs 1

if _some_username_variable == userX or userY

then

! Comamnd will be executed normaly.

action 1 set_exit_status "1"

else
action 10 syslog facility "SUPERUSER" msg "Unauthorized, event will be reported"
action 99 set _exit_status "0"

end

Of course, the itens in red are pseudocode.

So, is there a way to get the username running or triggering the applet?

- Is there an environment variable for this?

- Can we parse the output from the cli ("from the who command for example") and match it in a simple way?

Any help will be greatly appreciated.

Thanks in advance for your time.

Warm regards,

Fábio Rocha.

ngkin2010 · ‎02-21-2019

EEM use its onw service account to perform the scripting. So the provided program logic is not working.

If you don't have AAA server, you should implement RBAC (Local authorization) on your device to do what you want.

View solution in original post

ngkin2010 · ‎02-21-2019

First, I am not sure why you are not doing what you want by either AAA server / Role Based Access Control (RBAC).

But that's fine, if you insist to doing that with EEM, I could give you some information. But I did not try it, not 100% sure if it work.

event manager applet model
event cli pattern "clear archive log.*" sync yes occurs 1
action 010 cli command "show users | in ^\*"
// * 2 vty 0 network_admin idle 00:00:00 10.1.1.1
// you simply grep the username from the above output by regex. I did NOT test the below regexp, you may need to fix it.
action 020 regexp "^\*[ \t]+[0-9]+ (vty|con) [0-9]+[ \t]+([^\s]+)[ \t]+idle.*" "$_cli_result" match line username
action 030 if $username eq "networkadmin"
action 040 set_exit_status "1"
action 050 else
action 060 syslog facility "SUPERUSER" msg "Unauthorized, event will be reported"
action 070 set _exit_status "0"

fabio rocha · ‎02-21-2019

First of all, thank you for your answer.

Quoting your questions real quick:

>>First, I am not sure why you are not doing what you want by either AAA server / Role Based Access Control (RBAC).

Because I do not control the AAA servers.

>>But that's fine, if you insist to doing that with EEM, I could give you some information. But I did not try it, not 100% sure if it work.

I followed your logic and I think it might work.... however I have put it to test and found the following.

1 To be abe to execute any CLI command, I have to add an enable action first otherwise it fails.

So this doesn't work:

action 010 cli command "show users | in ^\*"

while that does:

action 09 cli command "enable"
action 10 cli command "show users"

Sorry if I am missing some obvious point here -- I think I am -- because it shoudn't be necessary to enable before executing a simple "show users" command but it fails otherwise.

Without enabling first, this is the result I get:

AZ01-APP-RT02#clear logging

show users
^
% Invalid input detected at '^' marker.

2. When the script runs it's not my user I see, but an EEM one! Take a look:

Running the script like this:

event manager applet teste
event cli pattern "clear logging" sync yes occurs 1
action 09 cli command "enable"
action 10 cli command "show users"
action 11 puts $_cli_result

I get this output:

AZ01-APP-RT02#clear logging

Line User Host(s) Idle Location
2 vty 0 idle 00:00:01 218.92.1.148
3 vty 1 tvt01739 idle 00:00:00 191.163.164.236
4 vty 2 rtadmin idle 00:32:53 191.163.164.236
* 5 vty 3 idle 00:00:00 EEM:teste

Interface User Mode Idle Peer Address

AZ01-APP-RT02#

I am certainly doing something wrong here, I appreciate any insight about this, because your regexp seems fine and it should work if it found the correct user.

Thanks,

Fábio.

ngkin2010 · ‎02-21-2019

EEM use its onw service account to perform the scripting. So the provided program logic is not working.

If you don't have AAA server, you should implement RBAC (Local authorization) on your device to do what you want.