[j-nsp] Supporting Audit Requirements in JUNOS
Erdem Sener
erdems at gmail.com
Wed Jul 23 11:36:12 EDT 2008
Stefan,
Indeed, you could maybe try to configure a class like this:
class engineering {
permissions all;
allow-commands "^commit check|commit comment|^commit synchronize
comment|commit confirmed comment";
deny-commands "^commit$";
}
this might do what you want, with two exceptions:
"and-quit" will not be supported
"at" will not be supported
"confirmed" will only be supported with the default 10 minutes.
The reason is I couldn't find a way (maybe there is, I'm not 100%
sure) to include the parameter after _at_ and _confirmed_
Hope this helps,
Erdem
user at router-re0> configure
Entering configuration mode
[edit]
user at router-re0# commit ?
Possible completions:
check Check correctness of syntax; do not apply changes
comment Message to write to commit log
confirmed Automatically rollback if not confirmed
synchronize Synchronize commit on both Routing Engines
[edit]
user at router-re0# commit comment ?
Possible completions:
<comment> Message to write to commit log
[edit]
user at router-re0# commit comment deneme ?
Possible completions:
<[Enter]> Execute this command
| Pipe through a command
[edit]
user at router-re0# commit confirmed ?
Possible completions:
comment Message to write to commit log
[edit]
user at router-re0# commit synchronize ?
Possible completions:
comment Message to write to commit log
[edit]
user at router-re0# commit check ?
Possible completions:
<[Enter]> Execute this command
and-quit Quit configuration mode if commit succeeds
synchronize Synchronize commit on both Routing Engines
| Pipe through a command
[edit]
On Wed, Jul 23, 2008 at 5:08 PM, Guy Davies <aguydavies at gmail.com> wrote:
> did you try 'commit synchronize comment "test"'? I think the quoted
> comment has to be last.
>
> Rgds,
>
> Guy
>
> 2008/7/23 Stefan Fouant <sfouant at gmail.com>:
>> That only allows me to do 'commit comment' and no other variations,
>> for example, I can't do 'commit comment "test" synchronize'...
>>
>> On Wed, Jul 23, 2008 at 10:19 AM, Benny Amorsen <benny+usenet at amorsen.dk> wrote:
>>> ons, 23 07 2008 kl. 09:56 -0400, skrev Stefan Fouant:
>>>
>>>> so really what I am looking for is
>>>> a way to ensure any type of commit operation is permitted so long as
>>>> it has the 'comment' option, or vice-versa, deny any commit operation
>>>> which does not have the 'comment' option.
>>>
>>> The commands I wrote should accomplish what you wanted. It required two
>>> regexes, but that is hardly the end of the world.
>>>
>>>
>>> /Benny
>>>
>>>
>>>
>>>
>>
>>
>>
>> --
>> Stefan Fouant
>> Principal Network Engineer
>> NeuStar, Inc. - http://www.neustar.biz
>> GPG Key ID: 0xB5E3803D
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list