First of all, thank you for your answer.
Quoting your questions real quick:
>>First, I am not sure why you are not doing what you want by either AAA server / Role Based Access Control (RBAC).
Because I do not control the AAA servers. >>But that's fine, if you insist to doing that with EEM, I could give you some information. But I did not try it, not 100% sure if it work.
I followed your logic and I think it might work.... however I have put it to test and found the following.
1 To be abe to execute any CLI command, I have to add an enable action first otherwise it fails.
So this doesn't work:
action 010 cli command "show users | in ^\*"
while that does:
action 09 cli command "enable" action 10 cli command "show users"
Sorry if I am missing some obvious point here -- I think I am -- because it shoudn't be necessary to enable before executing a simple "show users" command but it fails otherwise.
Without enabling first, this is the result I get:
show users ^ % Invalid input detected at '^' marker.
2. When the script runs it's not my user I see, but an EEM one! Take a look:
Running the script like this:
event manager applet teste event cli pattern "clear logging" sync yes occurs 1 action 09 cli command "enable" action 10 cli command "show users" action 11 puts $_cli_result
I get this output:
Line User Host(s) Idle Location 2 vty 0 idle 00:00:01 18.104.22.168 3 vty 1 tvt01739 idle 00:00:00 22.214.171.124 4 vty 2 rtadmin idle 00:32:53 126.96.36.199 * 5 vty 3 idle 00:00:00 EEM:teste
Interface User Mode Idle Peer Address
I am certainly doing something wrong here, I appreciate any insight about this, because your regexp seems fine and it should work if it found the correct user.
... View more
I need to prevent certain actions from being executed on my routers. The router admininistration is shared among dozens of privilege 15 (AAA) users.
So I need to prevent them for example:
- From messing with the logging options
- From clearing the logs or the archive log
I found a simple way to do that with EEM applets like those:
event manager applet DISABLE_LOGGING_SYSTEM_CHANGE event cli pattern "logging [on|console|monitor|buffered]" sync no skip yes
event manager applet DISABLE_CLEAR_LOGGING event cli pattern "clear logging" sync no skip yes
event manager applet DISABLE_CLEAR_ARCHIVE event cli pattern "clear archive log config.*" sync no skip yes
event manager applet DISABLE_ARCHIVE_REMOVAL event cli pattern "no archive" sync no skip yes
They work just fine, however I would like to prevent other admins from messing with the applets themselves as well.
How good is an App when someone could simply run:
# conf t
no event manager applet X
To remove my App?
I thought of something like this:
event manager applet LOGGING_SYSTEM_ALWAYS_ON event cli pattern "no event manager applet [DISABLE_|LOGGING_].*" sync no skip yes !
Which works and indeed prevent others from removing the applets, but not from messing with the Applet's code.
What I really would like to do is:
event manager applet LOGGING_SYSTEM_ALWAYS_ON event cli pattern "event manager applet [DISABLE_|LOGGING_].*" sync no skip yes
This way, as I understand, there would be NO WAY of someone messing or disabling the App. Not even myself, which is not what I intend.
Is there a way to restrict a command to all users except some known admins?
I thought of something along those lines:
event manager applet NO_CLEAR_ARCHIVE event cli pattern "clear archive log.*" sync yes occurs 1
if _some_username_variable == userX or userY
! Comamnd will be executed normaly.
action 1 set_exit_status "1"
else action 10 syslog facility "SUPERUSER" msg "Unauthorized, event will be reported" action 99 set _exit_status "0"
Of course, the itens in red are pseudocode.
So, is there a way to get the username running or triggering the applet?
- Is there an environment variable for this?
- Can we parse the output from the cli ("from the who command for example") and match it in a simple way?
Any help will be greatly appreciated.
Thanks in advance for your time.
... View more