[j-nsp] Supporting Audit Requirements in JUNOS

[Stefan Fouant]

Yeah, I tried something along very similar lines, but I think you are
right, what I am trying to accomplish may not be possible with JUNOS
regexes - I was hoping the regex engine was a bit more powerful
considering JUNOS' rich UNIX background.  What I wanted to do was to
allow the various commits, such as 'commit synchronize comment',
'commit at <time> comment', etc. - so really what I am looking for is
a way to ensure any type of commit operation is permitted so long as
it has the 'comment' option, or vice-versa, deny any commit operation
which does not have the 'comment' option.

I thought JUNOS regexes were POSIX-compliant.  Does anyone know if
JUNOS supports Extended Regular Expressions or does it just support
Basic Regular Expressions?

Cheers!

-- 
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D

On Wed, Jul 23, 2008 at 6:18 AM, Benny Amorsen <benny+usenet at amorsen.dk> wrote:
> "Stefan Fouant" <sfouant at gmail.com> writes:
>
>> set system login class engineering deny-commands "^commit.*!comment.*$"
>
> This is practically impossible to accomplish with one regex. (I think
> you can do it with perl regexes, but I am not sure how fancy JunOS
> regexes are.)
>
> How about:
>
> set system login class engineering allow-commands "^commit.*comment"
> set system login class engineering deny-commands "^commit"
>
> This assumes that JunOS processes allow before deny, and that it
> implicitly allows everything not matched by either allow-commands or
> deny-commands.
>
> /Benny