Mandatory EEM Policy prefix

sotiris.ioannou · ‎08-09-2013

Hi all,

I came accross the prefix Mandatory. for eem policies.

Can anyone shed some light on it?

How to you register a Mandatory policy?

How do you make it persistent after a reboot?

Is there a special command for them?

I tried creating a policy with the Mandatory prefix I reboot the router and the policy was not registered automatically as specified in the documentation.

This is a really good way of ensuring security process is followed even if someone removes the policy registration from the configuration.

Thanks,

Sotiris

mtimm · ‎08-12-2013

Hi Sotiris,

The automatic registration of mandatory policies is only for policies included with the image, i.e. only system policies can be mandatory policies.

The functionality was primarily included for the automatic registration of policies for platform specific or platform independant EEM policies. Automatic registration of non-system policies would be considered a security risk because it would allow someone to find some way to place a file into the location where EEM scripts are allowed (and with remote EEM policies in EEM 4.0 this could be even easier) and either wait for the box to restart or utilize some known vulnerability to cause the box to restart to get the policy to register. In other words the policy could be registered without entering config mode and changing the config. With the way mandatory policies work, it won't show up in the config at all. Therefor, we have isolated mandatory policies to system policies only.

Users can override mandatory policies to include additional options if needed or to change them in some way but at that point the config has to be changed to make that change and the policy is no longer a mandatory system policy, it becomes a user policy and shows up in the config.

Mike