[j-nsp] Supporting Audit Requirements in JUNOS

Wed Jul 23 11:36:12 EDT 2008

Stefan,

 Indeed, you could maybe try to configure a class like this:

class engineering {
    permissions all;
    allow-commands "^commit check|commit comment|^commit synchronize
comment|commit confirmed comment";
    deny-commands "^commit$";
}

this might do what you want, with two exceptions:

"and-quit" will not be supported
"at" will not be supported
"confirmed" will only be supported with the default 10 minutes.

The reason is I couldn't find a way (maybe there is, I'm not 100%
sure) to include the parameter after _at_ and _confirmed_

Hope this helps,
Erdem

user at router-re0> configure
Entering configuration mode

[edit]
user at router-re0# commit ?
Possible completions:
  check                Check correctness of syntax; do not apply changes
  comment              Message to write to commit log
  confirmed            Automatically rollback if not confirmed
  synchronize          Synchronize commit on both Routing Engines
[edit]
user at router-re0# commit comment ?
Possible completions:
  <comment>            Message to write to commit log
[edit]
user at router-re0# commit comment deneme ?
Possible completions:
  <[Enter]>            Execute this command
  |                    Pipe through a command
[edit]
user at router-re0# commit confirmed ?
Possible completions:
  comment              Message to write to commit log
[edit]
user at router-re0# commit synchronize ?
Possible completions:
  comment              Message to write to commit log
[edit]
user at router-re0# commit check ?
Possible completions:
  <[Enter]>            Execute this command
  and-quit             Quit configuration mode if commit succeeds
  synchronize          Synchronize commit on both Routing Engines
  |                    Pipe through a command
[edit]

On Wed, Jul 23, 2008 at 5:08 PM, Guy Davies <aguydavies at gmail.com> wrote:
> did you try 'commit synchronize comment "test"'?  I think the quoted
> comment has to be last.
>
> Rgds,
>
> Guy
>
> 2008/7/23 Stefan Fouant <sfouant at gmail.com>:
>> That only allows me to do 'commit comment' and no other variations,
>> for example, I can't do 'commit comment "test" synchronize'...
>>
>> On Wed, Jul 23, 2008 at 10:19 AM, Benny Amorsen <benny+usenet at amorsen.dk> wrote:
>>> ons, 23 07 2008 kl. 09:56 -0400, skrev Stefan Fouant:
>>>
>>>> so really what I am looking for is
>>>> a way to ensure any type of commit operation is permitted so long as
>>>> it has the 'comment' option, or vice-versa, deny any commit operation
>>>> which does not have the 'comment' option.
>>>
>>> The commands I wrote should accomplish what you wanted. It required two
>>> regexes, but that is hardly the end of the world.
>>>
>>>
>>> /Benny
>>>
>>>
>>>
>>>
>>
>>
>>
>> --
>> Stefan Fouant
>> Principal Network Engineer
>> NeuStar, Inc. - http://www.neustar.biz
>> GPG Key ID: 0xB5E3803D
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>