Arguments using Wild-Card in Shell command authorization
The Shell permission command Set allows the use of wild-card?
For example, according to command shell permission, what can I put the arguments if I want to enable the command show interface fastethernet 0/1-24 run?
And also, what should I put in as argument for a ip address if I want to allow "ping x.x.x.x"?
Thanks in advance.
Hello
There are two wildcard characters used under authority of command Shell is the first ' ^ ' sign which designates anything that comes after this is accepted and the second wildcard is ' $' which means anything that is before. In your case, you can use
Interface FastEthernet 0 1 ^
and
Ping ^.
These commands allow access each Fastethernet and ping to an IP address.
Tags: Cisco Security
Similar Questions
-
Problem with shell command authorization
I came across this issue with ACS 3.1 and 3.2 of the ACS
A shell command authorization set is created under the profile shared with the following components:
Unmatched orders: refuse
Permit of unmatched Args: UNCHECKED
The order authorized is 'show' with the Arg "worm permit", "allow the interface" and "allowed to run.
This permission set is then applied to the group, under the option "Assign a Shell command authorization on any device on the network."
Select this group option is set to 'Max privilege for any customer of AAA, level 15.
This configuration is then tested against two IOS switches, with orders from aaa as follows:
AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
The problem I have is that when a user who is part of this group connects, it can issue commands such as see the worm, see the race and show int just as I would expect. Any command that does not begin with a show... is denied. However, other show commands that do not appear in the arguments of will work, so that some don't. For example, "show arp" and "vlan" worked, while "show accountants ' and 'buffer' does not. What Miss me?
commands that work without explicitly set them are of privilege more low level 15... for example; "show arp" is a command of Priv-1, so it is execuatbel without permission of command as you do not permission to order for private-1.
Router > sh priv
Current privilege level is 1
Router >
Router >
Router > show arp
Protocol of age (min) address Addr Type Interface equipment
Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0
Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0
Router >
Router >
-
Hi all
I'm having a problem with the Shell command authorization. I have a user that I just want to be able to display the configuration of installation, it is for the auto config to archives on an hourly basis.
I have configuered the device with the following orders of aaa:
AAA new-model
AAA group Ganymede Server + ACS
AAA authentication login default group ACS
/NOAUTH AAA authentication login no
AAA authorization config-commands
AAA authorization exec default group Ganymede + group ACS
/NOAUTH AAA authorization exec no
AAA authorization commands 15 default ACS group
AAA authorization commands 15 /NOAUTH no
AAA accounting command 15 arrhythmic default group ACS
The static account I have set up ok logs and can show config etc. Access to the conf t is disabled, which is good, but for some reason, it can run any command show rather than just who is this all I welcomed in the Shell command authorization.
Unmatched command is defined for refuse and allowed unparalleled arguments are not checked.
ACS is 3.3 2 and switch I tested running 12.1 (9) EA1
Any ideas?
Most of 'show' command are level 1 controls. You can check this by logging in as a normal user, issue a private "sho" to make sure that you are at level 1, and then type 'sho ip road', "sho ver", etc., you will see that all work fine.
Your AAA commands say only the switch to allow level 15 commands, so when you do a "sho ver" or similar this order will not be sent offshore to the ACS server for authorization.
If you add the following:
AAA authorization commands 1 default ACS group
so, what do you have to fix, but be careful because it is easy to lock you out of power mode enable (add 'enable' in your command set too).
You should also noticed all those who 'show' commands were not their statement in detail either, because you have enabled also only accounting for level 15 commands.
-
How to activate 'Shell command authorization games '.
Hello
I use aaa on Ganymede to check the user to active directory ms.
I set up a new "Set Shell command authorization" see the attachment for more details.
But it does not work. So, I just want to check if the use of a command works or not.
You can see in the file attached, I tried something with the command 'show '.
But if I connect I am still able to use "view aaa servers" example, but in the 'show' commandbox I asked the agrument "refuse the aaa" inside.
Why doesn't this work?
Thanks for the help
BB
BB,
Not sure why you want to do it this way. Trick here is to give all users a priv 15 and then set the permission command, defined according to your need.
Overlooking priv 15 does not mean that the user will be able to run all the commands. You can set permission set and allow that you want specific orders, the user should be able to run.
So pls rate this help
Kind regards
~ JG
-
Help ACS shell command authorization
Hello
I wanted to only allow users to use the command interface. But when I have enabled terminal config of ACS shell command, all commands are allowed. How can I limited users having only permission for command interfaces?
Thank you
Two things may be wrong
(1) you do not have the following command on your AAA Client:
AAA authorization config-commands
(2) you have clicked on the 'unmatched orders' = allowed radio option in ACS, take a look on:
Concerning
Farrukh
-
Use applescript for Python Shell command
Is there a way where I can make applescript to view the output of the python script and also accepts input so that it can pass it to the python script? My script contains several entry so is it possible possible to do? For more than once in entry and exit every time?
You can certainly create handlers AppleScript (functions) that use Python HERE documents, with AppleScript variable passed into Python as command-line arguments, or returned to AppleScript. AppleScript's display of limited capacity, but does not preclude a cocoa of coding, or TCL GUI for the display format most of in the Python code.
You can also write a Python application that can invoke AppleScript, pass the values on the command line values and return to Python AppleScript. This can be done through a presentation of subprocess or directly through NSAppleScript.
Here's an AppleScript that uses a Python Manager to glance in a .docx Word document and display the names of fonts used in it. Only .docx, not. doc. Notes to escape the double quotes and back-slash in the Python script to appease AppleScript.
-wordfonts.applescript
-display fonts (read-only) in the Word (.docx only) document in the menu drop-down
-VikingOSX, 01/2016, support Apple community
-Version 1.2, the additional list comprehension to Python print statement, other settings.
property docx: {'org.openxmlformats.wordprocessingml.document'}
property mydefault: ((path to the documents folder) as text) as alias
Try
the value docxfile to POSIX path of (Choose file type docx default location mydefault without invisible)
If result = {return button: 'Cancel'} then error -128 - cancelled by the user
say application 'System events' to the value docxname to the name of (POSIX file docxfile as alias)
display the dialog box "Document:"& docxfile & return & return & (elements of my docxfonts (quoted form of docxfile)) as text with the title "Word Document Fonts" give up after 20.
we errnbr error error message number
Error_Handler (errnbr, errmsg)
end try
return
on docxfonts (thefile)
return the shell script "python".
import the zip file
import re
Import os
import sys
fonts =]
thedocx = os.path.expanduser(sys.argv[1])
If not thedocx.endswith ('.docx'):
raise exception ("not a valid docx Word document'")
If zipfile.is_zipfile (thedocx):
with the zip file. Zip (thedocx, 'r') as docxzip file:
XMLDATA = docxzip.read('word/fontTable.xml')
fonts = re.findall (r'(?<=w:name=)\"([ \\w+]+)\"="">', xmldata))
print (------"} \".format ('\\n'.comes ([x for x in sorted (fonts) if fonts])) ")
EXPRESSIONS OF FOLKLORE. "
end docxfonts
on error_handler (nbr, msg)
return Display alert «["& nbr &" "']" & msg as critical leave after 10 "»
end error_handler
Python script that illustrates the passage of an argument to an AppleScript application that runs as a subprocess.
#! / usr/bin/env python
# coding: utf-8
# dx.py: illustrates the passage of a Python variable in a function that
# contains a string variable (ascript) which is the AppleScript
# code that osascript runs in the sub-process. The value of allow
# following the scriptname as ARGV 1, which is taken by the
# argv clause of AppleScript.
# Use:. DX.py
# VikingOSX, 12/2015, Apple Support communities
# v1.2
import of subprocesses
Import atexit
import sys
MSG = 'the value of x is 10'.
procs =]
def send_dialog (allow):
AScript = "'
on run argv
Set userCanceled false
If (argv County) = 0 then
Tell application "system events" to display dialog ¬ "argv is 0". "
After 10
on the other
the value of msg (item 1 of argv) text
end if
Try
Tell application "system events" to display dialog ¬ msg
with the title 'Application Communication' give up after 10
the error number - 128
userCanceled set to true
try to end
If userCanceled then return "Cancel".
return
end of race
'''
Try:
proc = subprocess.check_output (['osascript', '-e', ascript, allow])
If "Cancel" in proc.decode('utf-8'): # the user presses the Cancel button
sys. Exit ("User Canceled")
except subprocess. CalledProcessError as e:
print (' Python error: [% d]\n%s\n' % e.returncode, e.output])
generator of # @atexit.register to clean any stray sub-process
def kill_subprocesses():
for proc in procs:
proc. Kill()
def main():
send_dialog (MSG)
If __name__ == "__main__":
sys. Exit (hand ())
-
ACS - configure the authorization of shell commands to work under the configuration mode (conf t)
Hello world
I'm trying to set up a shell commnds set orders (including t conf mode) will be allowed, with the exception of administrative commands, such as writing, copy, admin, format etc.
He worked for the commands in privileged mode (most) (such as writing and copy), but did not order t conf mode. It is important to prevent users to perform the ' write for the "and" copy run start "commands, for example.
Here is the entry in the series of command shell (Partial_access) approval:
Unmatched orders: permit
List of commands:
Admin
copy
delete
do
format
To write
(Relevant) group settings:
V - shell (exec)
Privilege level of V - 15
Shell command authorization set
Assign permission to command Shell Set to any device network - Partial_access (group name)
I use CiscoSecure ACS version 4.2 (0)
Thank you
Lior
Hi Lior,
Please make sure you typed in the AAA client, the following commands: -.
AAA authorization config-commands
Thanks for posting your AAA client configuration via "run sh |" I have aaa "and if possible your configuration of privilege"
HTH
-
series PIX command authorization
Hi all
can someone tell me please the use of GBA pix command authorization. I understand the use of a shell command authorization.
I'm sorry if the question is too dumb. I am completely new to this sector.
Thanks in advance.
concerning
Kirti.
Pix command authorization set was designed to set up approval order with PIX/FWSM, as shell pix did not differ for IOS, but at the launch the actual code, PIX/FWSM seems to work correctly with the auth command sets the shell.
So no one is really interested in using shell Pix more, more to watch new codes of pix it seems that developers are more likely making Pix Shell same shell IOS, so even if they stop PIX command sets in the next version of ACS I will not be surprised.
~ Rohit
-
I have an ACS 4.0 device. In the shell command authorization set section, you can define authorized or rejected orders (see) and arguments (running-config). I'm limiting users to a set of specific commands. One of the commands is "exit". To my knowledge, "exit" has no arguments. If I add 'Quit' as a permitted command but nothing come to the section of the argument, I get the authorization failed on the router. If I select "unparalleled stay args" (of output), the authorization is successful. I would prefer not to select "unmatched args to stay." Is there an argument for "out" I'm not aware of?
Hello
Try this,
exit - permit
represents returns the key.
Kind regards
Prem
-
Command authorization Config 3.3 ACS
Hello
I want to allow a user only add/remove the roads on a router. The shell command authorization works very well. But when the user is in configuration mode, it can start with any order!
Debugging says:
1w2d: AAA/AUTHOR: authorization config command not enabled
How can I activate this and how/where can I he set up the GBA?
Thanks in advance
GBA just allow the user to enter the command 'road' as if you have any other shell command that they are authorized to do.
On the router/NAS, you must tell him specifically that you want authorization for config commands with the following:
AAA authorization config-commands
Note that the format of this command changes slightly on different versions of IOS, but if you "aaa authorization?", you will be able to understand.
-
Specific shell - ACS command authorization / GANYMEDE + on 2900XL
Hello all-
I was struggling with a particular issue here. I am running ACS 3.2 and tries to implement secure access to my switch. I have 'students' of my University I want to leave running specific functions, i.e. change the vlan port and write in memory, etc.
I created with success the piece of the authorization, and my test account can connect. I have successfully assigned a privilege level of 7 also, that gives me a look of default base rights. Accountants strives also, indicating connections and commands me to come home.
I want to do is use ACS to allow a particular group of controls, so I can change if needed in one place (ACS) and I not touch + 400 devices. ACS says can be done, but it doesn't seem to work. I created a Shell command group and specified commands, no luck. Even if I change the 'unmatched orders' rocking 'allow' (which should allow all orders, right?) it does not yet allow all orders. I added the Shell command group for the group, of which students are members...
My AAA commands are as follows:
AAA new-model
AAA of default login authentication group local Ganymede +.
Group AAA authorization exec default local Ganymede +.
AAA authorization commands by default 7 Group Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 7 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting system default start-stop Ganymede group.
Any ideas? Any thoughts?
Thank you!
Michael
QU.edu
Michael,
You perform permission to order order that exist with a privilege level of 7. By default, the configuration commands have a privilege to 15. There are two ways you can go about solving this problem. The first would be to authorization of installation for level 15 command. The second would be to change the privilege level of the commands that you want your students to be able to run level 15 at level 7. This can be done with the command of privilege. Here is a link that shows the use of the technology locally within the unit. http://www.Cisco.com/warp/public/480/Priv.html
I don't know if the ACS can push the configuration of the device on a per user basis, so the first option may be your best bet. Be sure to allow access to all controls for yourself.
Steve
-
Search in Vista using a wild card (asterisk or question mark + dot + suffix)
How to search in Vista using a wild card (asterisk or question mark + dot + suffix)? I tried, but does not get results, I always could in Windows XP and earlier versions.
Hello
You can use * and? Search box in the start - menu.
Tips for finding files
http://Windows.Microsoft.com/en-us/Windows-Vista/tips-for-finding-filesHow to use advanced search in Vista Options
http://www.Vistax64.com/tutorials/75451-advanced-search.htmlHow to restore the page button on the Start Menu after installing Vista SP1
http://www.Vistax64.com/tutorials/145787-Search-start-menu-button-restore-after-SP1.htmlHow to restore the context Menu item search after installing Vista SP1
http://www.Vistax64.com/tutorials/134065-search-context-menu-item-restore-after-Vista-SP1.htmlHow to create a shortcut on the desktop search in Vista
http://www.Vistax64.com/tutorials/126499-search-desktop-shortcut.html----------------------------------------------------------
Win Key F opens advanced search
Searching in Windows Vista, part 1
http://Windows.Microsoft.com/en-us/Windows-Vista/searching-in-Windows-Vista-part-1-secrets-of-the-search-boxI hope this helps.
Rob Brown - MS MVP - Windows Desktop Experience: Bike - Mark Twain said it right.
-
How can I use Cisco ACS to save Shell commands
Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.
I have these lines on my router:
...
AAA authorization config-commands
AAA authorization exec default group Ganymede +.
AAA authorization commands 15 default authenticated if
AAA authorization network default group Ganymede +.
...
It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?
*****************************************************
I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.
If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.
orders accounting AAA 15 by default start-stop Ganymede group.
-
I have a question about wild-card searches. I currently have a behind the scenes as to search for a string within a string...
However, if the user wants to put in a wild card like '% report % AP... I would like to go back to all those who start with AP and relate to them - is - it possible using APEX? I currently do not receive all the records as the % is considered literally. As our users are used for Oracle, we will have users who will be key in a % when searching and we need it works!
Can someone help me with this please?
Thank you!
RobetAhh, one of us was on a red herring, sorry.
Not accustomed to see double quotes, don't think that they are identifiers case-insensitive to column do not.
Your original code
instr(upper("REPORT_DESC"),upper(nvl(:P11_REPORT_SEARCH,"REPORT_DESC"))) > 0Is the same as
upper(report_desc) like '%'||UPPER(:P11_REPORT_SEARCH)||'%'Then you may as well write it like this, and then the winning cards will be interpreted as such.
Scott
-
App, opening a file via windows shell commands: "a device attached to the system does not work.
Hello!
I hope that someone here will be able to throw some lights on my question, if I post this is the wrong place please let me know because I was directed here (which forum? ). OK, I support and develop custom applications. An older application especially written in Delphi allows users to attached documents (pdf, jpg, txt, etc.) to the records of equipment in a data base. Later users can view these records of equipment and press a button to display the document.
When the user presses the button to view the document, the application uses the folder variable to save the document to the temporary path and then asks windows via a shell command to open the file. The appeal of Delphi for windows used is the following:
ShellExecute (GetDesktopWindow, 'open', PChar (TempFile), ",", SW_SHOWNORMAL);
Normally this process works very well, we have had no problems so far. On a single computer (windows xp pro with Service Pack 3) belonging to a client, instead of opening the file, windows returns the system 31 error and the message ""a device attached to the system is not functioning. ". is displayed.
* If I navigate to the location where the file is stored on the disk and try to open it, software adobe reader opens the file correctly.
* I found some suggestions that the file extension is associated properly. PDF associated with Notepad, I changed, and the application could ask windows to open the file very well. Open the file from the location on the work of disc as well. Change the file for adobe and the problem persisted.
* I reinstalled adobe reader software, but also a previous version of adobe and the problem persisted.
* The application doesn't have any problem asking other files opened, only those associated with adobe reader on this same machine. The problem does not exist on other machines.
That about sums up the problem. Any suggestion would be appreciated.
Thank you
Louis
It was determined that the version of adobe reader was at fault.
Maybe you are looking for
-
TestStand do not call a Labview DLL copied to a new location.
TestStand v4.2 & v8.6.1 LabVIEW: I have a problem with TestStand calling a Labview project DLL. It will call the DLL successfully if it points its record source (the directory where the DLL was built. However if the DLL is copied to the clients worki
-
Take 100% of CPU Utilization in windows Xp sp3.
Hello In the 'System' service task manager was taking 100 CPU usage, can someone help out of this... Detail of PC,Microsoft Windows XP sp3.512 MB memory.P4 CPU. I'll make this process...CHKDSK.ALL THE ANALYSIS WITH MICROSOFT SECURITY ESSENTIAL. resto
-
How can I uninstall mcafee on windows vista
I tried and tried to uninstall Mcafee on my computer by using the uninstall method in my control panel and I get a pop-up that says "launch of installation error. How can I get rid of Mcafee?
-
HP 3050 has failed to connect to the router Thomson SpeedTouch ST585
Hello world. I bought a wireless printer in order to print from my laptop to every corner of my house. The installation procedure gently and the printer 'feel' my router, but all of a sudden he ejects a screenshot advising HP 3050 has cannot be conne
-
Windows 7 - this copy of windows is not genuine.
Diagnostic report (1.9.0027.0):-----------------------------------------Validation of Windows data--> Validation code: 50Code of Validation caching online: 0x0Windows product key: *-* - M3DJT - 4J3WC-733WDThe Windows Product Key hash: xo + ajVSpae7/4