Re: Firwall Audit

sarang · ‎10-01-2008

Is it possible to get the following information on ASA? I need to know who logged in for last so many days and what changes they did? Could you kindly help?

Thanks...

suschoud · ‎10-01-2008

There is no direct way of knowing this,atleast without any third party s/w.

ASA generates syslogs when anyone logs in and also generated a log for every command that person ran.These syslogs are generated at level 7.

If you can set up a syslog server where syslogs at level 7 are sent,you can get the info. you need.It's just that you would need to do a manual search for the log id's.

I can give you the id's which you need to search in syslogs :

%PIX|ASA-5-611103: User logged out: Uname: user

%PIX|ASA-5-111008: User user executed the command string

Here are the steps for setting up the syslog server.

First you would need to install a syslog server software on one of the computers. You may

download one of the popular kiwisyslog server from

http://www.kiwisyslog.com/software_downloads.htm . It is listed as Kiwi

Syslog Daemon and latest version is 8.2.8. You may download standard edition that runs as

a program.

Once the syslog server is installed you will then need to login into the ASA in

configuration terminal mode and enter the following commands.

logging host [in_if_name] ip_address

(example: logging host inside 1.2.3.4

We are assuming syslog server is installed on computer with IP address 1.2.3.4 in the

inside network.)

logging timestamp

logging trap 4

logging on

These commands will enable the ASA to start sending syslog messages to the syslog server.

For more information on logging commands you may refer to this URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer

ence_chapter09186a008010578b.html#1028090

----------------------------------------------------------------------------------

Trap levels

.0-emergencies-System unusable messages

.1-alerts-Take immediate action

.2-critical-Critical condition

.3-errors-Error message

.4-warnings-Warning message

.5-notifications-Normal but significant condition

.6-informational-Information message

.7-debugging-Debug messages and log FTP commands and WWW URLs

Do rate helpful posts.

Regards,

Sushil

AdnanShahid · ‎10-05-2008

Dear,

I have tried with the same configuration given below,

logging enable

logging timestamp

logging trap debugging

logging host inside X.X.X.X

Other than using the trap level 4 I have used 7 because I want to see every single events. Basically my requirement is to know which user doing what/or running which command. I am getting the report on my syslog server but it is not showing the exact Username. It is only showing [User "enable_15"]. But I want to see the name of the user.

Here are some syslog messages,-

1)03:42 PM y.y.y.y Notice User 'enable_15' executed the 'logging host inside x.x.x.x' command.

2)03:42 PM y.y.y.y Notice User 'enable_15' executed the 'logging trap debugging' command.

3)03:42 PM y.y.y.y Notice User 'enable_15' executed the 'logging timestamp' command.

I am using Solarwinds Syslog and AAA is enabled in my firewall.

Any suggestions.

Regards

Adnan

suschoud · ‎10-06-2008

enable_15 is the default user.

That tells me someone logged in without using AAA server credentials.

Are you sure AAA is implemented for all sorts of access.

aaa authentication ssh console AAA_SERVER_NAME

Above command will implement AAA for ssh access.

Do u have similar command for http,telnet and console access.

aaa authentication http console AAA_SERVER_NAME

aaa authentication telnet console AAA_SERVER_NAME

aaa authentication serial console AAA_SERVER_NAME

If not,someone is logging in using the username " pix".

If helpful,please rate.

Regards,

Sushil

cisco24x7 · ‎10-01-2008

YES, it CAN be done. You need a AAA server for

this. You can setup AAA accounting on the ASA.

There were some issues with AAA accounting on

ASA/Pix like that ASA does not send the right

IP address of the workstation connecting

to the ASA, instead it send 0.0.0.0. I know

this because I opened a TAC case with Cisco

about two years ago on this. I think the

issue was fixed in version 7.2.2.x and later.

So to answer your question, it can be easily

done.

AdnanShahid · ‎10-07-2008

Dear Sushil,

Many Thanks for your mail.

My requirement is I want to see who the user logged in and what command he put in my device (router/FW). I want to bring all these information in my syslog server (Solarwinds). Logging notice level can provide this information.

Now the problem I face, when I do not use AAA configuration and administer it withour AAA then user name is showing on the everyline of the syslog message and wht cmd he placed on the device. But when I am using with AAA user log on and command he is placing - are comming on seperate line. As there are lots of syslog messages so it is very difficult to identify which user place which command as these are on seperate line.

I understand that from AAA I can easily identify who and what. But I want to see it on the syslog and within the same line. For exam:

[6318: * User:Adnan logged command:no shutdown]

Any suggession.

Regards

Adnan.

cisco24x7 · ‎10-08-2008

You can do this on router, provide that you

are running IOS version 12.4 or higher:

login block-for 60 attempts 3 within 60

login on-failure log every 3

log config

logging enable

notify syslog

Easy right?