管理角色
Junos OS 使您能够定义系统用户以充当系统的特定类型的管理员。通过将登录类配置为具有管理角色属性,可以将管理角色分配给用户。您可以将其中一个角色属性(如审计官加密官、安全官、IDS 官)分配给管理用户。
如何设计管理角色
系统用户可以是允许用户充当系统特定类型的管理员的类的成员。要求特定角色才能查看或修改项目会限制用户可以从系统获取的信息范围。它还限制了用户对修改或观察的系统开放程度。您(系统管理员)在设计管理角色时应使用以下准则:
不允许任何用户以 身份
root登录系统。将每个用户限制为执行用户职责所需的最小权限集。
不允许任何用户属于包含权限标志的
shell登录类。权限标志允许用户shell从 CLI 运行start shell命令。允许用户具有回滚权限。回滚权限允许用户撤消管理员执行的操作,但不允许用户提交更改。
通过将登录类配置为具有该角色所需的特权,可以将管理角色分配给用户。可以将每个类配置为按名称允许或拒绝对配置语句和命令的访问。这些限制将覆盖并在类中也配置的任何权限标志之上。可以将以下角色属性之一分配给管理用户:
Crypto-administrator- 允许用户配置和监视加密数据。Security-administrator- 允许用户配置和监控安全数据。Audit-administrator- 允许用户配置和监视审计数据。IDS-administrator- 允许用户监视和清除入侵检测服务 (IDS) 安全日志。
每个角色都可以执行以下特定的管理功能:
Cryptographic Administrator
配置加密自检。
修改加密安全数据参数。
Audit Administrator
配置和删除审核审阅搜索和排序功能。
搜索和排序审核记录。
配置搜索和排序参数。
手动删除审核日志。
Security Administrator
调用、确定和修改加密自检行为。
启用、禁用、确定和修改审计分析和审计选择功能,并配置设备自动删除审计日志。
启用或禁用安全警报。
指定传输层连接的配额限制。
指定受控面向连接的资源的配额限制、网络标识符和时间段。
指定允许使用互联网控制消息协议 (ICMP) 或地址解析协议 (ARP) 的网络地址。
配置时间戳中使用的时间和日期。
查询、修改、删除和创建未经身份验证的信息流安全功能策略 (SFP)、经过身份验证的信息流安全功能策略、未经身份验证的设备服务和自由访问控制策略的信息流或访问控制规则和属性。
指定在未经身份验证的信息流 SFP、经过身份验证的信息流 SFP、未经身份验证的评估目标 (TOE) 服务和自由访问控制策略下创建对象信息时覆盖默认值的初始值。
创建、删除或修改控制可从中建立管理会话的地址的规则。
指定和撤销与用户、主体和对象关联的安全属性。
指定设备向管理员发出警报的审核存储容量百分比。
处理身份验证失败,并修改在对进一步的身份验证尝试实施渐进限制之前和断开连接之前通过 SSH 或 CLI 进行的失败身份验证尝试次数。
管理设备的基本网络配置。
IDS Administrator— 指定 IDS 安全警报、入侵警报、审核选择和审核数据。
必须在为这些管理角色创建的类中设置安全角色属性。此属性限制哪些用户可以显示和清除安全日志,这些操作无法仅通过配置执行。
例如,如果要限制清除 IDS 日志并将其显示给 IDS 管理员角色,则必须在为 IDS 管理员角色创建的类中 ids-admin 设置安全角色属性。同样,您必须将安全角色设置为其他管理员值之一,以限制该类只能清除和显示非 IDS 日志。
注:
当用户删除现有配置时,已删除配置的层次结构级别下的配置语句(用户无权修改的子对象)将保留在设备中。
示例:如何配置管理角色
此示例说明如何为一组不同的、唯一的特权配置各个管理角色,而不是所有其他管理角色。
要求
配置此功能之前,除了设备初始化之外,不需要执行任何操作。
概述
此示例说明如何配置四个管理员用户角色:
audit-officer的类audit-admincrypto-officer的类crypto-adminsecurity-officer的类security-adminids-officer的类ids-admin
security-admin配置类后,将撤销创建security-admin类的用户的创建管理员权限。创建新用户和登录名由 自行 security-officer决定。
在此示例中,您将创建前面列表中所示的四个管理用户角色(审核管理员、加密管理员、安全管理员和 ids 管理员)。对于每个角色,您可以为该角色分配相关的权限标志。然后,您可以按名称允许或拒绝对每个管理角色的配置语句和命令的访问。这些特定限制优先于类中配置的权限标志。例如,只有 可以 crypto-admin 运行 request system set-encryption-key 命令,这需要具有 security 权限标志才能访问它。只有 才能security-adminsystem time-zone在配置中包含语句,这需要具有system-control权限标志。
配置
程序
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改与您的网络配置匹配所需的任何详细信息,将命令复制并粘贴到层次结构级别的 CLI [edit] 中,然后进入 commit 配置模式。
set system login class audit-admin permissions security set system login class audit-admin permissions trace set system login class audit-admin permissions maintenance set system login class audit-admin allow-commands "^clear (log|security log)" set system login class audit-admin deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell"; set system login class audit-admin security-role audit-administrator set system login class crypto-admin permissions admin-control set system login class crypto-admin permissions configure set system login class crypto-admin permissions maintenance set system login class crypto-admin permissions security-control set system login class crypto-admin permissions system-control set system login class crypto-admin permissions trace set system login class crypto-admin allow-commands "^request system set-encryption-key" set system login class crypto-admin deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" set system login class crypto-admin allow-configuration-regexps ["security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"] set system login class crypto-admin security-role crypto-administrator set system login class security-admin permissions all set system login class security-admin deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell" set system login class security-admin deny-configuration-regexps ["security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key-generation"] set system login class security-admin security-role security-administrator set system login class ids-admin permissions configure set system login class ids-admin permissions security-control set system login class ids-admin permissions trace set system login class ids-admin permissions maintenance set system login class ids-admin allow-configuration-regexps ["security alarms potential-violation idp" "security log exclude .* event-id IDP_.*"] set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" set system login class ids-admin deny-configuration-regexps ["security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"] set system login class ids-admin security-role ids-admin set system login user audit-officer class audit-admin set system login user crypto-officer class crypto-admin set system login user security-officer class security-admin set system login user ids-officer class ids-admin set system login user audit-officer authentication plain-text-password set system login user crypto-officer authentication plain-text-password set system login user security-officer authentication plain-text-password set system login user ids-officer authentication plain-text-password
分步过程
要配置管理角色:
-
创建
audit-admin登录类。[edit] user@host# edit system login class audit-admin [edit system login class audit-admin] user@host# set permissions security user@host# set permissions trace user@host# set permissions maintenance
-
audit-admin配置登录类限制。[edit system login class audit-admin] user@host# set allow-commands "^clear (log|security log)" user@host# set deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" user@host# set security-role audit-administrator
-
创建
crypto-admin登录类。[edit] user@host# edit system login class crypto-admin [edit system login class crypto-admin] user@host# set permissions admin-control user@host# set permissions configure user@host# set permissions maintenance user@host# set permissions security-control user@host# set permissions system-control user@host# set permissions trace
-
crypto-admin配置登录类限制。[edit system login class crypto-admin] user@host# set allow-commands "^request system set-encryption-key" user@host# set deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" user@host# set allow-configuration-regexps ["security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"] user@host# set security-role crypto-administrator
-
创建
security-admin登录类。[edit] user@host# edit system login class security-admin [edit system login class security-admin] user@host# set permissions all
-
security-admin配置登录类限制。[edit system login class security-admin] user@host# set deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell" user@host# set deny-configuration-regexps ["security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation"] user@host# set security-role security-administrator
-
创建
ids-admin登录类。[edit] user@host# edit system login class ids-admin [edit system login class ids-admin] user@host# set permissions configure user@host# set permissions maintenance user@host# set permissions security-control user@host# set permissions trace
-
ids-admin配置登录类限制。[edit system login class ids-admin] user@host# set allow-configuration-regexps ["security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" user@host# set deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" user@host# set deny-configuration-regexps ["security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"] user@host# set security-role ids-administrator
-
将用户分配给角色。
[edit] user@host# edit system login [edit system login] user@host# set user audit-officer class audit-admin user@host# set user crypto-officer class crypto-admin user@host# set user security-officer class security-admin user@host# set user ids-officer class ids-admin
-
为用户配置密码。
[edit system login] user@host# set user audit-officer authentication plain-text-password user@host# set user crypto-officer authentication plain-text-password user@host# set user security-officer authentication plain-text-password user@host# set user ids-officer authentication plain-text-password
结果
在配置模式下,输入 show system 命令确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明,以便进行更正。
[edit]
user@host# show system
system {
login {
class audit-admin {
permissions [ maintenance security trace ];
allow-commands "^clear (log|security log)";
deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
security-role audit-administrator;
}
class crypto-admin {
permissions [ admin-control configure maintenance security-control system-control trace ];
allow-commands "^request (system set-encryption-key)";
deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
allow-configuration-regexps [ "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation" ];
security-role crypto-administrator;
}
class security-admin {
permissions [all];
deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell";
deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log exclude .* event-id IDP_.*" "system fips self-test after-key-generation" ];
security-role security-administrator;
}
class ids-admin {
permissions [ configure maintenance security-control trace ];
deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type
(authentication | cryptographic-self-test | decryption-failures | encryption-failures
| ike-phase1-failures | ike-phase2-failures|key-generation-self-test |
non-cryptographic-self-test |policy | replay-attacks) | ^file (copy|delete|rename)
|^request (security|system set-encryption-key) | ^rollback |
^set date | ^show security (dynamic-policies|match-policies|policies) |^start shell";
allow-configuration-regexps [ "security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" ];
deny-configuration-regexps "security alarms potential-violation (authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
security-role ids-administrator;
}
user audit-officer {
class audit-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
user crypto-officer {
class crypto-admin;
authentication {
encrypted-password "$1$ABC123."; ## SECRET-DATA
}
}
user security-officer {
class security-admin;
authentication {
encrypted-password "$1$ABC123."; ##SECRET-DATA
}
}
user ids-officer {
class ids-admin;
authentication {
encrypted-password "$1$ABC123/"; ## SECRET-DATA
}
}
}
}
配置设备后,进入 commit 配置模式。
验证
确认配置工作正常。
验证登录权限
目的
验证当前用户的登录权限。
操作
在操作模式下,输入 show cli authorization 命令以验证用户的登录权限。
user@host> show cli authorization
Current user: 'example' class 'super-user'
Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
idp-profiler-operation-- Can Profiler data
pgcp-session-mirroring-- Can view pgcp session mirroring configuration
pgcp-session-mirroring-control-- Can modify pgcp session mirroring configura
tion
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
all-control -- Can modify any configuration
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: none此输出汇总了登录权限。
如何配置本地管理员帐户
超级用户权限授予用户在路由器上使用任何命令的权限,并且通常保留给少数用户,例如系统管理员。您(系统管理员)需要使用密码保护本地管理员帐户,以防止未经授权的用户访问超级用户命令。这些超级用户命令可用于更改系统配置。使用 RADIUS 身份验证的用户还应配置本地密码。如果 RADIUS 服务器没有响应,登录过程将恢复为本地管理员帐户上的本地密码身份验证。
以下示例说明如何配置使用超级用户权限调用 admin 的受密码保护的本地管理帐户:
[edit]
system {
login {
user admin {
uid 1000;
class superuser;
authentication {
encrypted-password "<PASSWORD>"; ## SECRET-DATA
}
}
}
}