管理角色
通过 Junos OS,您可以定义系统用户作为系统的特定类型的管理员。您可以通过将登录类配置为具有管理角色属性来为用户分配管理角色。您可以将其中一个角色属性(如 audit-officer、crypto-officer、security-officer、ids-officer)分配给管理用户。
如何设计管理角色
系统用户可以是允许用户充当系统特定类型的管理员的类的成员。要求特定角色来查看或修改项目会限制用户可以从系统获取的信息范围。它还限制了系统可供用户修改或观察的程度。在设计管理角色时,您(系统管理员)应使用以下准则:
不允许任何用户以 的身份
root登录系统。将每个用户限制为执行用户职责所需的最小权限集。
不允许任何用户属于包含权限标志的
shell登录类。shell权限标志允许用户从 CLI 运行start shell命令。允许用户具有回滚权限。回滚权限允许用户撤消管理员执行的操作,但不允许他们提交更改。
您可以通过将登录类配置为具有该角色所需的权限来为用户分配管理角色。您可以对每个类进行配置,按名称允许或拒绝访问配置语句和命令。这些限制将覆盖并优先于类中也配置的任何权限标志。您可以将以下角色属性之一分配给管理用户:
Crypto-administrator— 允许用户配置和监控加密数据。Security-administrator— 允许用户配置和监控安全数据。Audit-administrator— 允许用户配置和监控审计数据。IDS-administrator— 允许用户监控和清除入侵检测服务 (IDS) 安全日志。
每个角色都可以执行以下特定管理功能:
Cryptographic Administrator
配置加密自检。
修改加密安全数据参数。
Audit Administrator
配置和删除审计审查搜索和排序功能。
搜索和排序审计记录。
配置搜索和排序参数。
手动删除审计日志。
Security Administrator
调用、确定和修改加密自检行为。
启用、禁用、确定和修改审计分析和审计选择功能,配置设备为自动删除审计日志。
启用或禁用安全报警。
指定传输层连接上的配额限制。
指定面向连接的受控资源上的配额限制、网络标识符和时间段。
指定允许使用互联网控制消息协议 (ICMP) 或地址解析协议 (ARP) 的网络地址。
配置时间戳中使用的时间和日期。
查询、修改、删除和创建未经过身份验证的信息流安全功能策略 (SFP)、经过身份验证的信息流安全功能策略、未经身份验证的设备服务和任意访问控制策略的信息流或访问控制规则和属性。
指定在未经身份验证的信息流 SFP、经过身份验证的信息流 SFP、未经身份验证的评估目标 (TOE) 服务和任意访问控制策略下创建对象信息时覆盖默认值的初始值。
创建、删除或修改控制可从中建立管理会话的地址的规则。
指定和撤销与用户、主题和对象关联的安全属性。
指定设备向管理员发出警报的审核存储容量百分比。
处理身份验证故障,并修改通过 SSH 或通过 CLI 尝试失败的身份验证尝试次数,这些尝试在强制执行渐进式限制以进行进一步的身份验证尝试之前以及断开连接之前可能发生的次数。
管理设备的基本网络配置。
IDS Administrator— 指定 IDS 安全报警、入侵报警、审计选择和审计数据。
您必须在为这些管理角色创建的类中设置 security-role 属性。此属性限制哪些用户可以显示和清除安全日志,这些操作不能仅通过配置来执行。
例如,如果要将清除和显示 IDS 日志限制为 IDS 管理员角色,则必须在为 IDS 管理员角色创建的类中 ids-admin 设置 security-role 属性。同样,您必须将 security-role 设置为其他 admin 值之一,以限制该类只能清除和显示非 IDS 日志。
注意:
当用户删除现有配置时,已删除配置层次结构级别下的配置语句(用户无权修改的子对象)将保留在设备中。
示例:如何配置管理角色
此示例说明如何为一组独特的唯一权限配置单个管理角色,与所有其他管理角色不同。
要求
配置此功能之前,不需要执行除设备初始化之外的操作。
概述
此示例说明如何配置四个管理员用户角色:
audit-officer班级成员audit-admincrypto-officer班级成员crypto-adminsecurity-officer班级成员security-adminids-officer班级成员ids-admin
配置类时 security-admin ,创建该类的用户 security-admin 将撤销创建管理员的权限。创建新用户和登录名由 自行决定 security-officer。
在此示例中,您将创建上述列表中显示的四个管理用户角色(审核管理员、加密管理员、安全管理员和 ids 管理员)。对于每个角色,您可以为角色分配相关的权限标志。然后,您可以按名称允许或拒绝访问每个管理角色的配置语句和命令。这些特定限制优先于类中配置的权限标志。例如,只有 才能 crypto-admin 运行命令 request system set-encryption-key ,这需要具有 security 权限标志才能访问它。只有 才能 security-admin 在配置中包含 system time-zone 该语句,这需要具有 system-control 权限标志。
配置
过程
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到层次结构级别的 [edit] CLI 中,然后进入 commit 配置模式。
set system login class audit-admin permissions security set system login class audit-admin permissions trace set system login class audit-admin permissions maintenance set system login class audit-admin allow-commands "^clear (log|security log)" set system login class audit-admin deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell"; set system login class audit-admin security-role audit-administrator set system login class crypto-admin permissions admin-control set system login class crypto-admin permissions configure set system login class crypto-admin permissions maintenance set system login class crypto-admin permissions security-control set system login class crypto-admin permissions system-control set system login class crypto-admin permissions trace set system login class crypto-admin allow-commands "^request system set-encryption-key" set system login class crypto-admin deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" set system login class crypto-admin allow-configuration-regexps ["security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"] set system login class crypto-admin security-role crypto-administrator set system login class security-admin permissions all set system login class security-admin deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell" set system login class security-admin deny-configuration-regexps ["security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key-generation"] set system login class security-admin security-role security-administrator set system login class ids-admin permissions configure set system login class ids-admin permissions security-control set system login class ids-admin permissions trace set system login class ids-admin permissions maintenance set system login class ids-admin allow-configuration-regexps ["security alarms potential-violation idp" "security log exclude .* event-id IDP_.*"] set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" set system login class ids-admin deny-configuration-regexps ["security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"] set system login class ids-admin security-role ids-admin set system login user audit-officer class audit-admin set system login user crypto-officer class crypto-admin set system login user security-officer class security-admin set system login user ids-officer class ids-admin set system login user audit-officer authentication plain-text-password set system login user crypto-officer authentication plain-text-password set system login user security-officer authentication plain-text-password set system login user ids-officer authentication plain-text-password
分步程序
要配置管理角色:
-
创建
audit-admin登录类。[edit] user@host# edit system login class audit-admin [edit system login class audit-admin] user@host# set permissions security user@host# set permissions trace user@host# set permissions maintenance
-
配置
audit-admin登录等级限制。[edit system login class audit-admin] user@host# set allow-commands "^clear (log|security log)" user@host# set deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" user@host# set security-role audit-administrator
-
创建
crypto-admin登录类。[edit] user@host# edit system login class crypto-admin [edit system login class crypto-admin] user@host# set permissions admin-control user@host# set permissions configure user@host# set permissions maintenance user@host# set permissions security-control user@host# set permissions system-control user@host# set permissions trace
-
配置
crypto-admin登录等级限制。[edit system login class crypto-admin] user@host# set allow-commands "^request system set-encryption-key" user@host# set deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" user@host# set allow-configuration-regexps ["security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"] user@host# set security-role crypto-administrator
-
创建
security-admin登录类。[edit] user@host# edit system login class security-admin [edit system login class security-admin] user@host# set permissions all
-
配置
security-admin登录等级限制。[edit system login class security-admin] user@host# set deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell" user@host# set deny-configuration-regexps ["security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation"] user@host# set security-role security-administrator
-
创建
ids-admin登录类。[edit] user@host# edit system login class ids-admin [edit system login class ids-admin] user@host# set permissions configure user@host# set permissions maintenance user@host# set permissions security-control user@host# set permissions trace
-
配置
ids-admin登录等级限制。[edit system login class ids-admin] user@host# set allow-configuration-regexps ["security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" user@host# set deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" user@host# set deny-configuration-regexps ["security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"] user@host# set security-role ids-administrator
-
将用户分配给角色。
[edit] user@host# edit system login [edit system login] user@host# set user audit-officer class audit-admin user@host# set user crypto-officer class crypto-admin user@host# set user security-officer class security-admin user@host# set user ids-officer class ids-admin
-
为用户配置密码。
[edit system login] user@host# set user audit-officer authentication plain-text-password user@host# set user crypto-officer authentication plain-text-password user@host# set user security-officer authentication plain-text-password user@host# set user ids-officer authentication plain-text-password
结果
在配置模式下,输入 show system 命令以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
[edit]
user@host# show system
system {
login {
class audit-admin {
permissions [ maintenance security trace ];
allow-commands "^clear (log|security log)";
deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
security-role audit-administrator;
}
class crypto-admin {
permissions [ admin-control configure maintenance security-control system-control trace ];
allow-commands "^request (system set-encryption-key)";
deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
allow-configuration-regexps [ "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation" ];
security-role crypto-administrator;
}
class security-admin {
permissions [all];
deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell";
deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log exclude .* event-id IDP_.*" "system fips self-test after-key-generation" ];
security-role security-administrator;
}
class ids-admin {
permissions [ configure maintenance security-control trace ];
deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type
(authentication | cryptographic-self-test | decryption-failures | encryption-failures
| ike-phase1-failures | ike-phase2-failures|key-generation-self-test |
non-cryptographic-self-test |policy | replay-attacks) | ^file (copy|delete|rename)
|^request (security|system set-encryption-key) | ^rollback |
^set date | ^show security (dynamic-policies|match-policies|policies) |^start shell";
allow-configuration-regexps [ "security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" ];
deny-configuration-regexps "security alarms potential-violation (authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
security-role ids-administrator;
}
user audit-officer {
class audit-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
user crypto-officer {
class crypto-admin;
authentication {
encrypted-password "$1$ABC123."; ## SECRET-DATA
}
}
user security-officer {
class security-admin;
authentication {
encrypted-password "$1$ABC123."; ##SECRET-DATA
}
}
user ids-officer {
class ids-admin;
authentication {
encrypted-password "$1$ABC123/"; ## SECRET-DATA
}
}
}
}
配置设备后,在配置模式中输入 commit 。
验证
确认配置工作正常。
验证登录权限
目的
验证当前用户的登录权限。
行动
在操作模式下,输入命令 show cli authorization 以验证用户的登录权限。
user@host> show cli authorization
Current user: 'example' class 'super-user'
Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
idp-profiler-operation-- Can Profiler data
pgcp-session-mirroring-- Can view pgcp session mirroring configuration
pgcp-session-mirroring-control-- Can modify pgcp session mirroring configura
tion
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
all-control -- Can modify any configuration
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: none
此输出汇总了登录权限。
如何配置本地管理员帐户
超级用户权限允许用户在路由器上使用任何命令,通常保留给少数用户,例如系统管理员。您(系统管理员)需要使用密码保护本地管理员帐户,以防止未经授权的用户访问超级用户命令。这些超级用户命令可用于更改系统配置。具有 RADIUS 身份验证的用户还应配置本地密码。如果 RADIUS 服务器没有响应,登录过程将恢复为本地管理员帐户上的本地密码身份验证。
以下示例说明如何配置具有超级用户权限的 admin 受密码保护的本地管理帐户:
[edit]
system {
login {
user admin {
uid 1000;
class superuser;
authentication {
encrypted-password "<PASSWORD>"; ## SECRET-DATA
}
}
}
}