From 89fef3e3c12118527ce455798748afa418f49dac Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Fri, 9 Jul 2021 12:22:30 +0800 Subject: [PATCH 01/19] Add TACACS+ protocol requirement document. --- doc/aaa/TACACS+ Requirement.md | 161 +++++++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 doc/aaa/TACACS+ Requirement.md diff --git a/doc/aaa/TACACS+ Requirement.md b/doc/aaa/TACACS+ Requirement.md new file mode 100644 index 0000000000..73a02d56c3 --- /dev/null +++ b/doc/aaa/TACACS+ Requirement.md @@ -0,0 +1,161 @@ +# SONiC TACACS+ Protocol Requirement + +# Table of Contents +- [Table of Contents](#table-of-contents) +- [About this Manual](#about-this-manual) +- [1 Functional Requirements](#1-functional-requirement) + * [1.1 Authentication](#11-authentication) + * [1.2 Authorization](#12-authorization) + * [1.3 Accounting](#13-accounting) + * [1.4 User script](#14-user-script) + * [1.5 Docker support](#15-docker-support) + * [1.6 Multiple TACAS server](#16-multiple-tacas-server) +- [2 Configuration and Management Requirements](#2-configuration-and-management-requirements) + * [2.1 SONiC CLI](#21-sonic-cli) + * [2.2 Config DB](#22-config-db) + * [2.3 Counter](#23-counter) + * [2.4 System log](#24-system-log) +- [3 Limitation](#limitation) + * [3.1 Command size](#31-command-size) + * [3.2 Server count](#32-server-count) + +# About this Manual +This document provides a detailed description on the requirement of TACACS+ protocol support. + +# 1 Functional Requirement +## 1.1 Authentication +- Authentication when user login to SONiC host. + + +## 1.2 Authorization +- Authorization when: + - User login to SONiC host. + - User run command on SONiC host. + - User can only run commands in whitelist. + - For recursive command/script, only the top level command have authorization. + +- Only command in whitelist visible to user: + - All privilege level share same whitelist to simplify design. + - Different privilege level have different permission to run these command. + - All commands in sudoers will add to the whitelist. and sudoers config file still need for RO users, this is because when remote TACACS server not avaliable, we need use local group permission for failover. + +- Disable user behavior in shell: + - Changing directories with the cd builtin. + - User still can access files in other folder, and use 'ls' command to list content in other folder, for example: + ``` + test@testhost:~$ ls -l /etc/ + total 880 + drwxr-xr-x 3 test test 4096 Aug 22 2020 NetworkManager + drwxr-xr-x 7 test test 4096 Aug 22 2020 X11 + drwxr-xr-x 3 test test 4096 Aug 22 2020 acpi + ``` + - Setting or unsetting the values of the SHELL, PATH, HISTFILE, ENV, or BASH_ENV variables. + - Specifying command names containing slashes. + - Importing function definitions from the shell environment at startup. + - Parsing the value of SHELLOPTS from the shell environment at startup. + - Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators. + - Builtin commands: + +| **Command** | **Behavior** | +| -------- | -------------------------- | +| . | Specifying a filename containing a slash as an argument. | +| history | Specifying a filename containing a slash as an argument. | +| hash | Specifying a filename containing a slash as an argument to the -p option. | +| exec | Specifying a filename containing a slash as an argument to the -p option. | +| deleting/adding | Use the -f and -d options to the enable builtin. | +| enable | Using the 'enable' builtin command to enable disabled shell builtins. | +| command | Specifying the -p option to the 'command' builtin command. | +| set | Turning off restricted mode with ‘set +r’ or ‘set +o restricted’. | + + - All these behavior disabled only for user input, command in script will not be affected, see here for more details: https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html + + +- Supported Authorization types: + - EXEC: user session authorization support. this happen when user login. + - Command: user run command in shell. + +- Failover: + - Authorization will happen before execute, if remote TACACS server not available, use local group based authorization as failover. + + +## 1.3 Accounting + - Accounting when: + - User login to SONiC host. + - User run command on host: + - Command start run. + - Command finish. + - For recursive command/script, only the top level command have Accounting. +- Failover: + - Use syslog as backup when remote TACACS not avaliable. + + +## 1.4 User script + - Any script in whitelist can run with Authorization and Accounting. + - If user create a script, admin user can use config command add script to whitelist. + +## 1.5 Docker support + - Docker exec command will be covered by Authorization and Accounting. + - SONiC AAA can't cover any command user run inside a docker. + +## 1.6 Multiple TACACS server + - Support config multiple TACACS server. + - When a server not available, will try next server as backup. + - When all server not available, use native failover solution. + +# 2 Configuration and Management Requirements +## 2.1 SONiC CLI + - Enable/Disable TACACS Authorization/Accounting command +``` + config tacacs authorization enable + config tacacs authorization disable + config tacacs accounting enable + config tacacs accounting disable +``` + + - Whitelist management command +``` + show config tacacs restrict command whitelist + Config tacacs restrict command whitelist remove + Config tacacs restrict command whitelist add +``` + + - Counter command +``` + show tacacs counter + clear tacacs counter +``` + +## 2.2 Config DB + - TACACS AAA are fully configable by config DB. + +## 2.3 Counter + - Support AAA counter: +``` + show tacacs counter + + server1: 10.1.1.45 + Messages sent: 24 + Messages received: 20 + Requests accepted: 14 + Requests rejected: 8 + Requests timeout: 2 + Requests retransmitted: 1 + Bad responses: 1 +``` + +## 2.4 System log +- Generate system log when Authentication/Authorization/Accounting. +- When remote TACACS server not avaliable, use system log for accounting. + + +# 3 Limitation +## 3.1 Command size + - TACACS protocol limittation: command + parameter size should smaller than 240 byte. The longer than 240 bytes parts will be drop. + - This limitation is a protocol level, all TACACS implementation have this limittation, include CISCO, ARISTA and Cumulus. + - Both Authorization and Accounting have this limitation. + - When user user a command longer than 240 bytes, only commands within 240 bytes will send to TACACS server. which means Accounting may lost some user input. and Authorization check can only partly check user input. + + +## 3.2 Server count + - Max TACACS server count was hardcoded, default count is 8. + From 5e3fc17c7853609effbe47f73ade6396951751ed Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Fri, 9 Jul 2021 16:00:31 +0800 Subject: [PATCH 02/19] Improve document. --- doc/aaa/TACACS+ Requirement.md | 47 +++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 15 deletions(-) diff --git a/doc/aaa/TACACS+ Requirement.md b/doc/aaa/TACACS+ Requirement.md index 73a02d56c3..975a36309f 100644 --- a/doc/aaa/TACACS+ Requirement.md +++ b/doc/aaa/TACACS+ Requirement.md @@ -9,7 +9,7 @@ * [1.3 Accounting](#13-accounting) * [1.4 User script](#14-user-script) * [1.5 Docker support](#15-docker-support) - * [1.6 Multiple TACAS server](#16-multiple-tacas-server) + * [1.6 Multiple TACACS server](#16-multiple-tacas-server) - [2 Configuration and Management Requirements](#2-configuration-and-management-requirements) * [2.1 SONiC CLI](#21-sonic-cli) * [2.2 Config DB](#22-config-db) @@ -35,22 +35,31 @@ This document provides a detailed description on the requirement of TACACS+ prot - For recursive command/script, only the top level command have authorization. - Only command in whitelist visible to user: - - All privilege level share same whitelist to simplify design. + - Whitelist is per host, all user share same whitelist to simplify design. - Different privilege level have different permission to run these command. - - All commands in sudoers will add to the whitelist. and sudoers config file still need for RO users, this is because when remote TACACS server not avaliable, we need use local group permission for failover. + - All commands in sudoers will add to the whitelist. and sudoers config file still need for RO users, this is because when remote TACACS server not accessible from SONiC, we need use local group permission for failover. - Disable user behavior in shell: - Changing directories with the cd builtin. - User still can access files in other folder, and use 'ls' command to list content in other folder, for example: - ``` + ``` test@testhost:~$ ls -l /etc/ total 880 drwxr-xr-x 3 test test 4096 Aug 22 2020 NetworkManager drwxr-xr-x 7 test test 4096 Aug 22 2020 X11 drwxr-xr-x 3 test test 4096 Aug 22 2020 acpi - ``` + ``` - Setting or unsetting the values of the SHELL, PATH, HISTFILE, ENV, or BASH_ENV variables. - - Specifying command names containing slashes. + + - Specifying command names containing slashes, for example: + ``` + test@testhost:~$ /etc/date + rbash: /etc/date: restricted: cannot specify `/' in command names + + test@testhost:~$ date + Fri Jul 9 15:15:42 CST 2021 + ``` + - Importing function definitions from the shell environment at startup. - Parsing the value of SHELLOPTS from the shell environment at startup. - Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators. @@ -79,20 +88,28 @@ This document provides a detailed description on the requirement of TACACS+ prot ## 1.3 Accounting - - Accounting when: + - Accounting is the action of recording what a user is doing, and/or has done. + + - Following event will be accounted: - User login to SONiC host. + - User logout. - User run command on host: - Command start run. - Command finish. - For recursive command/script, only the top level command have Accounting. - Failover: - - Use syslog as backup when remote TACACS not avaliable. + - Use syslog as backup when remote TACACS not not accessible from SONiC. ## 1.4 User script - Any script in whitelist can run with Authorization and Accounting. - If user create a script, admin user can use config command add script to whitelist. - + - To run user script, TACACS server side must allow user run script, for example: + ``` + 1. Tacacs service allow RW user run any script named as 'user_script_*' + 2. RW user create a new script on sonic host, script name is 'user_script_collect_information.sh' + 3. Then user can add user_script_collect_information.sh to white list and run it. + ``` ## 1.5 Docker support - Docker exec command will be covered by Authorization and Accounting. - SONiC AAA can't cover any command user run inside a docker. @@ -100,7 +117,7 @@ This document provides a detailed description on the requirement of TACACS+ prot ## 1.6 Multiple TACACS server - Support config multiple TACACS server. - When a server not available, will try next server as backup. - - When all server not available, use native failover solution. + - When all server not accessible from SONiC, use native failover solution. # 2 Configuration and Management Requirements ## 2.1 SONiC CLI @@ -114,15 +131,15 @@ This document provides a detailed description on the requirement of TACACS+ prot - Whitelist management command ``` - show config tacacs restrict command whitelist - Config tacacs restrict command whitelist remove - Config tacacs restrict command whitelist add + show tacacs whitelist + Config tacacs whitelist remove + Config tacacs whitelist add ``` - Counter command ``` show tacacs counter - clear tacacs counter + clean tacacs counter ``` ## 2.2 Config DB @@ -145,7 +162,7 @@ This document provides a detailed description on the requirement of TACACS+ prot ## 2.4 System log - Generate system log when Authentication/Authorization/Accounting. -- When remote TACACS server not avaliable, use system log for accounting. +- When remote TACACS server not accessible from SONiC, use system log for accounting. # 3 Limitation From d1805c6cea536fbcd873eb44621e448ec9e30fcc Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Tue, 13 Jul 2021 10:16:38 +0800 Subject: [PATCH 03/19] Update document according to PR comments. --- doc/aaa/TACACS+ Requirement.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/aaa/TACACS+ Requirement.md b/doc/aaa/TACACS+ Requirement.md index 975a36309f..13a0346385 100644 --- a/doc/aaa/TACACS+ Requirement.md +++ b/doc/aaa/TACACS+ Requirement.md @@ -132,14 +132,14 @@ This document provides a detailed description on the requirement of TACACS+ prot - Whitelist management command ``` show tacacs whitelist - Config tacacs whitelist remove - Config tacacs whitelist add + config tacacs whitelist remove + config tacacs whitelist add ``` - Counter command ``` show tacacs counter - clean tacacs counter + sonic-clear tacacscounters ``` ## 2.2 Config DB @@ -160,9 +160,9 @@ This document provides a detailed description on the requirement of TACACS+ prot Bad responses: 1 ``` -## 2.4 System log -- Generate system log when Authentication/Authorization/Accounting. -- When remote TACACS server not accessible from SONiC, use system log for accounting. +## 2.4 Syslog +- Generate syslog when Authentication/Authorization/Accounting. +- When remote TACACS server not accessible from SONiC, use syslog for accounting. # 3 Limitation From f3c8020b1050dbab4a420a37e2fb6e85f7b8d84f Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Thu, 15 Jul 2021 13:46:06 +0800 Subject: [PATCH 04/19] Improve document. --- doc/aaa/TACACS+ Requirement.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/aaa/TACACS+ Requirement.md b/doc/aaa/TACACS+ Requirement.md index 13a0346385..f38aa9564f 100644 --- a/doc/aaa/TACACS+ Requirement.md +++ b/doc/aaa/TACACS+ Requirement.md @@ -34,7 +34,7 @@ This document provides a detailed description on the requirement of TACACS+ prot - User can only run commands in whitelist. - For recursive command/script, only the top level command have authorization. -- Only command in whitelist visible to user: +- Only command in whitelist visible to user: - Whitelist is per host, all user share same whitelist to simplify design. - Different privilege level have different permission to run these command. - All commands in sudoers will add to the whitelist. and sudoers config file still need for RO users, this is because when remote TACACS server not accessible from SONiC, we need use local group permission for failover. @@ -62,7 +62,6 @@ This document provides a detailed description on the requirement of TACACS+ prot - Importing function definitions from the shell environment at startup. - Parsing the value of SHELLOPTS from the shell environment at startup. - - Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators. - Builtin commands: | **Command** | **Behavior** | @@ -74,7 +73,6 @@ This document provides a detailed description on the requirement of TACACS+ prot | deleting/adding | Use the -f and -d options to the enable builtin. | | enable | Using the 'enable' builtin command to enable disabled shell builtins. | | command | Specifying the -p option to the 'command' builtin command. | -| set | Turning off restricted mode with ‘set +r’ or ‘set +o restricted’. | - All these behavior disabled only for user input, command in script will not be affected, see here for more details: https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html From bf1e468c2c96a447305f1c1784347e61b5e178c7 Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Tue, 20 Jul 2021 10:12:11 +0800 Subject: [PATCH 05/19] Update requirement document, remove some authorization limitation because we choice bash approach. --- doc/aaa/TACACS+ Requirement.md | 62 +++++----------------------------- 1 file changed, 8 insertions(+), 54 deletions(-) diff --git a/doc/aaa/TACACS+ Requirement.md b/doc/aaa/TACACS+ Requirement.md index f38aa9564f..30c73fea71 100644 --- a/doc/aaa/TACACS+ Requirement.md +++ b/doc/aaa/TACACS+ Requirement.md @@ -30,52 +30,10 @@ This document provides a detailed description on the requirement of TACACS+ prot ## 1.2 Authorization - Authorization when: - User login to SONiC host. - - User run command on SONiC host. - - User can only run commands in whitelist. + - User run any executable file or script on SONiC host. + - The full path and parameters will be send to TACACS+ server side for authorization. - For recursive command/script, only the top level command have authorization. - -- Only command in whitelist visible to user: - - Whitelist is per host, all user share same whitelist to simplify design. - - Different privilege level have different permission to run these command. - - All commands in sudoers will add to the whitelist. and sudoers config file still need for RO users, this is because when remote TACACS server not accessible from SONiC, we need use local group permission for failover. - -- Disable user behavior in shell: - - Changing directories with the cd builtin. - - User still can access files in other folder, and use 'ls' command to list content in other folder, for example: - ``` - test@testhost:~$ ls -l /etc/ - total 880 - drwxr-xr-x 3 test test 4096 Aug 22 2020 NetworkManager - drwxr-xr-x 7 test test 4096 Aug 22 2020 X11 - drwxr-xr-x 3 test test 4096 Aug 22 2020 acpi - ``` - - Setting or unsetting the values of the SHELL, PATH, HISTFILE, ENV, or BASH_ENV variables. - - - Specifying command names containing slashes, for example: - ``` - test@testhost:~$ /etc/date - rbash: /etc/date: restricted: cannot specify `/' in command names - - test@testhost:~$ date - Fri Jul 9 15:15:42 CST 2021 - ``` - - - Importing function definitions from the shell environment at startup. - - Parsing the value of SHELLOPTS from the shell environment at startup. - - Builtin commands: - -| **Command** | **Behavior** | -| -------- | -------------------------- | -| . | Specifying a filename containing a slash as an argument. | -| history | Specifying a filename containing a slash as an argument. | -| hash | Specifying a filename containing a slash as an argument to the -p option. | -| exec | Specifying a filename containing a slash as an argument to the -p option. | -| deleting/adding | Use the -f and -d options to the enable builtin. | -| enable | Using the 'enable' builtin command to enable disabled shell builtins. | -| command | Specifying the -p option to the 'command' builtin command. | - - - All these behavior disabled only for user input, command in script will not be affected, see here for more details: https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html - + - No authorization for bash builtin command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. - Supported Authorization types: - EXEC: user session authorization support. this happen when user login. @@ -87,7 +45,7 @@ This document provides a detailed description on the requirement of TACACS+ prot ## 1.3 Accounting - Accounting is the action of recording what a user is doing, and/or has done. - + - Following event will be accounted: - User login to SONiC host. - User logout. @@ -95,19 +53,15 @@ This document provides a detailed description on the requirement of TACACS+ prot - Command start run. - Command finish. - For recursive command/script, only the top level command have Accounting. + - Failover: - Use syslog as backup when remote TACACS not not accessible from SONiC. ## 1.4 User script - - Any script in whitelist can run with Authorization and Accounting. - - If user create a script, admin user can use config command add script to whitelist. - - To run user script, TACACS server side must allow user run script, for example: - ``` - 1. Tacacs service allow RW user run any script named as 'user_script_*' - 2. RW user create a new script on sonic host, script name is 'user_script_collect_information.sh' - 3. Then user can add user_script_collect_information.sh to white list and run it. - ``` + - User can create and run their own script. + - If user create a script but TACACS+ service side not have configuration to allow user run this script, user script will be blocked by authorization. + ## 1.5 Docker support - Docker exec command will be covered by Authorization and Accounting. - SONiC AAA can't cover any command user run inside a docker. From e06041206116707bb3eb26d3dcf00fa1c64df0cd Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Tue, 27 Jul 2021 17:33:03 +0800 Subject: [PATCH 06/19] Save document change. --- doc/aaa/TACACS+ Design.md | 284 +++++++++++++++++++++++++++++++++ doc/aaa/TACACS+ Requirement.md | 130 --------------- 2 files changed, 284 insertions(+), 130 deletions(-) create mode 100644 doc/aaa/TACACS+ Design.md delete mode 100644 doc/aaa/TACACS+ Requirement.md diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md new file mode 100644 index 0000000000..384784e0f7 --- /dev/null +++ b/doc/aaa/TACACS+ Design.md @@ -0,0 +1,284 @@ +# SONiC TACACS+ protocol Design + +# Table of Contents +- [Table of Contents](#table-of-contents) +- [About this Manual](#about-this-manual) +- [1 Functional Requirements](#1-functional-requirement) + * [1.1 Authentication](#11-authentication) + * [1.2 Authorization](#12-authorization) + * [1.3 Accounting](#13-accounting) + * [1.4 User script](#14-user-script) + * [1.5 Docker support](#15-docker-support) + * [1.6 Multiple TACACS server](#16-multiple-tacas-server) +- [2 Configuration and Management Requirements](#2-configuration-and-management-requirements) + * [2.1 SONiC CLI](#21-sonic-cli) + * [2.2 Config DB](#22-config-db) + * [2.3 Counter](#23-counter) + * [2.4 System log](#24-system-log) +- [3 Limitation](#limitation) + * [3.1 Command size](#31-command-size) + * [3.2 Server count](#32-server-count) +- [4 Design](#design) + * [4.1 Authentication](#41-authentication) + * [4.2 Authorization](#42-authorization) + * [4.2.1 Implementation](#421-implementation) + * [4.2.2 ConfigDB Schema](#422-configdb-schema) + * [4.2.3 CLI](#423-cli) + * [4.3 Accounting](#43-accounting) + * [4.3.1 Implementation](#431-implementation) + * [4.3.2 ConfigDB Schema](#432-configdb-schema) + * [4.3.3 CLI](#433-cli) +- [5 Error handling](#error-handling) +- [6 Serviceability and Debug](#serviceability-and-debug) +- [7 Unit Test](#unit-test) + * [7.1 Unit test for source code](#41-unit-test-for-source-code) + * [7.2 End to end test with testbed](#41-end-to-end-test-with-testbed) + * [7.3 Backward compatibility test](#41-backward compatibility test) +- [8 References](#references) + * [ RFC8907](#rfc8907) + * [ TACACS+ Authentication](#tacacs+-Authentication) + * [ Bash](#bash) + * [pam_tacplus](#pam_tacplus) + * [ Auditd](#auditd) + * [ audisp-tacplus](#audisp-tacplus) + +# About this Manual +This document provides a detailed description on the requirement and design of TACACS+ protocol support. + +# 1 Functional Requirement +## 1.1 Authentication +- Authentication when user login to SONiC host. +- For more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) + + +## 1.2 Authorization +- Authorization when: + - User login to SONiC host. + - User run any executable file or script on SONiC host. + - The full path and parameters will be send to TACACS+ server side for authorization. + - For recursive command/script, only the top level command have authorization. + - No authorization for bash builtin command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. + +- Supported Authorization types: + - EXEC: user session authorization support. this happen when user login. + - Command: user run command in shell. + +- Failover: + - Authorization will happen before execute, if remote TACACS server not available, use local group based authorization as failover. + +## 1.3 Accounting + - Accounting is the action of recording what a user is doing, and/or has done. + + - Following event will be accounted: + - User login to SONiC host. + - User logout. + - User run command on host: + - Command start run. + - Command finish. + +- User command in Docker will not be accounted. + - User command in docker actually run by docker service, so we can't identify if command are run by user or system service. + +- Failover: + - Use syslog as backup when remote TACACS not not accessible from SONiC. + + +## 1.4 User script + - User can create and run their own script. + - If user create a script but TACACS+ service side not have configuration to allow user run this script, user script will be blocked by authorization. + +## 1.5 Docker support + - Docker exec command will be covered by Authorization and Accounting. + - Any command run inside docker container will not covered by Authorization and Accounting. + +## 1.6 Multiple TACACS server + - Support config multiple TACACS server. + - When a server not accessible, will try next server as backup. + - When all server not accessible from SONiC, use native failover solution. + +# 2 Configuration and Management Requirements +## 2.1 SONiC CLI + - Enable/Disable TACACS Authorization/Accounting command +``` + config aaa authorization tacacs local + config aaa authorization local + config aaa accounting tacacs local + config aaa accounting local +``` + + - Counter command +``` + show tacacs counter + sonic-clear tacacscounters +``` + +## 2.2 Config DB + - TACACS AAA are fully configable by config DB. + +## 2.3 Counter + - Support AAA counter: +``` + show tacacs counter + + server1: 10.1.1.45 + Messages sent: 24 + Messages received: 20 + Requests accepted: 14 + Requests rejected: 8 + Requests timeout: 2 + Requests retransmitted: 1 + Bad responses: 1 +``` + +## 2.4 Syslog + - Generate syslog when Authentication/Authorization/Accounting. + - When remote TACACS server not accessible from SONiC, use syslog for accounting. + + +# 3 Limitation +## 3.1 Command size + - TACACS protocol limittation: command + parameter size should smaller than 240 byte. The longer than 240 bytes parts will be drop. + - This limitation is a protocol level, all TACACS implementation have this limittation, include CISCO, ARISTA and Cumulus. + - Both Authorization and Accounting have this limitation. + - When user user a command longer than 240 bytes, only commands within 240 bytes will send to TACACS server. which means Accounting may lost some user input. and Authorization check can only partly check user input. + + +## 3.2 Server count + - Max TACACS server count was hardcoded, default count is 8. + +# 4 Design +## 4.1 Authentication + - For Authentication design detail please check [TACACS+ Authentication](#TACPLUS-Authentication) +## 4.2 Authorization +### 4.2.1 Implementation + - [ Bash](#bash) will be patched to support plugin when user execute disk command. + - A bash plugin to support TACACS+ authorization. + - Use TACACS+ setting from TACACS+ authentication. + - Use libtac library from [pam_tacplus](#pam_tacplus) for TACACS+ protocol. + +The following figure show how Bash plugin work with TACACS+ server. +``` + +-------+ +---------+ + | SSH | | Console | + +---+---+ +----+----+ + | | ++----------v-----------v---------+ +---------------------+ +| Bash | | | +| | | | +| +-------------------------+ | | | +| | TACACS+ plugin +----------> TACACS+ server | +| +-------------------------+ | | | +| | | | +| | | | ++---------------+----------------+ +---------------------+ +``` + +Following is the sequence of events during TACACS+ authoriztaion user command: + +``` +SSH/Console SONiC Device TACACS+ Server + /bin/Bash Bash Plugin +---------------------------------------------------------------------- + + | | | | + | | | | + | User Command(1) | | | + +---------------->| | | + | | | | + | +---------------->| | + | | | Authorization | + | | | Request(2) | + | | +------------------->| + | | | | + | | | Authorization | + | | | Result(3) | + | | |--------------------+ + | | | | + | |<----------------+ | + | | | | + | | | | + | Success(4) | | | + |<----------------| | | + | | | | + +``` + +### 4.2.2 ConfigDB Schema + - The hostcfg enforcer reads data from configDB to configure host environment. + - The AAA config module in hostcfg enforcer is responsible for modifying Bash configuration files in host. + - For how TACACS+ config file update please check [TACACS+ Authentication](#TACPLUS-Authentication) + +The following figure show how Bash config an TACACS+ config update by ConfigDB. +``` + +-------+ +---------+ + | SSH | | Console | + +---+---+ +----+----+ + | | ++----------v-----------v---------+ +---------------------+ +| Bash | | | +| +-------------------------+ | | +--------------+ | +| | Bash config file <-------------+ Authorization| | +| | | | | | Config | | +| +-------------------------+ | | +--------------+ | +| | | | +| +-------------------------+ | | +--------------+ | +| | TACACS+ config file <-------------+ AAA Config | | +| +-------------------------+ | | +--------------+ | +| | | | +| | | HostCfg Enforcer | ++---------------+----------------+ +----------^----------+ + | + +---------+ +-------+--------+ + | | | | + | CLI +----------------------> ConifgDB | + | | | | + +---------+ +----------------+ +``` + +### 4.2.3 CLI + - The existing TACACS+ server config command will not change. + - Add following command to enable/disable TACACS+ authorizarion. +``` + config aaa authorization tacacs local + config aaa authorization local +``` + + - When config AAA authorization with "no" prefix, SONiC will use local authorization, so following commands have same effect +``` + no config aaa authorization tacacs local + no config aaa authorization local + config aaa authorization local +``` + +## 4.3 Accounting +### 4.3.1 Implementation +### 4.3.2 ConfigDB Schema +### 4.3.3 CLI + +# 5 Error handling +[TODO]: add more detail. + +# 6 Serviceability and Debug +[TODO]: add more detail. + +# 7 Unit Test +## 7.1 Unit test for source code +[TODO]: add more detail. +## 7.2 End to end test +[TODO]: add more detail. +## 7.3 Backward compatibility test +[TODO]: add more detail. + +# 8 References +## RFC8907 +https://datatracker.ietf.org/doc/html/rfc8907 +## TACACS+ Authentication +https://github.com/Azure/SONiC/blob/master/doc/aaa/TACACS%2B%20Authentication.md +## Bash +https://www.gnu.org/software/bash/html +## pam_tacplus +https://github.com/kravietz/pam_tacplus +## auditd +http://man7.org/linux/man-pages/man8/auditd.8.html +## audisp-tacplus +https://github.com/daveolson53/audisp-tacplus diff --git a/doc/aaa/TACACS+ Requirement.md b/doc/aaa/TACACS+ Requirement.md deleted file mode 100644 index 30c73fea71..0000000000 --- a/doc/aaa/TACACS+ Requirement.md +++ /dev/null @@ -1,130 +0,0 @@ -# SONiC TACACS+ Protocol Requirement - -# Table of Contents -- [Table of Contents](#table-of-contents) -- [About this Manual](#about-this-manual) -- [1 Functional Requirements](#1-functional-requirement) - * [1.1 Authentication](#11-authentication) - * [1.2 Authorization](#12-authorization) - * [1.3 Accounting](#13-accounting) - * [1.4 User script](#14-user-script) - * [1.5 Docker support](#15-docker-support) - * [1.6 Multiple TACACS server](#16-multiple-tacas-server) -- [2 Configuration and Management Requirements](#2-configuration-and-management-requirements) - * [2.1 SONiC CLI](#21-sonic-cli) - * [2.2 Config DB](#22-config-db) - * [2.3 Counter](#23-counter) - * [2.4 System log](#24-system-log) -- [3 Limitation](#limitation) - * [3.1 Command size](#31-command-size) - * [3.2 Server count](#32-server-count) - -# About this Manual -This document provides a detailed description on the requirement of TACACS+ protocol support. - -# 1 Functional Requirement -## 1.1 Authentication -- Authentication when user login to SONiC host. - - -## 1.2 Authorization -- Authorization when: - - User login to SONiC host. - - User run any executable file or script on SONiC host. - - The full path and parameters will be send to TACACS+ server side for authorization. - - For recursive command/script, only the top level command have authorization. - - No authorization for bash builtin command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. - -- Supported Authorization types: - - EXEC: user session authorization support. this happen when user login. - - Command: user run command in shell. - -- Failover: - - Authorization will happen before execute, if remote TACACS server not available, use local group based authorization as failover. - - -## 1.3 Accounting - - Accounting is the action of recording what a user is doing, and/or has done. - - - Following event will be accounted: - - User login to SONiC host. - - User logout. - - User run command on host: - - Command start run. - - Command finish. - - For recursive command/script, only the top level command have Accounting. - -- Failover: - - Use syslog as backup when remote TACACS not not accessible from SONiC. - - -## 1.4 User script - - User can create and run their own script. - - If user create a script but TACACS+ service side not have configuration to allow user run this script, user script will be blocked by authorization. - -## 1.5 Docker support - - Docker exec command will be covered by Authorization and Accounting. - - SONiC AAA can't cover any command user run inside a docker. - -## 1.6 Multiple TACACS server - - Support config multiple TACACS server. - - When a server not available, will try next server as backup. - - When all server not accessible from SONiC, use native failover solution. - -# 2 Configuration and Management Requirements -## 2.1 SONiC CLI - - Enable/Disable TACACS Authorization/Accounting command -``` - config tacacs authorization enable - config tacacs authorization disable - config tacacs accounting enable - config tacacs accounting disable -``` - - - Whitelist management command -``` - show tacacs whitelist - config tacacs whitelist remove - config tacacs whitelist add -``` - - - Counter command -``` - show tacacs counter - sonic-clear tacacscounters -``` - -## 2.2 Config DB - - TACACS AAA are fully configable by config DB. - -## 2.3 Counter - - Support AAA counter: -``` - show tacacs counter - - server1: 10.1.1.45 - Messages sent: 24 - Messages received: 20 - Requests accepted: 14 - Requests rejected: 8 - Requests timeout: 2 - Requests retransmitted: 1 - Bad responses: 1 -``` - -## 2.4 Syslog -- Generate syslog when Authentication/Authorization/Accounting. -- When remote TACACS server not accessible from SONiC, use syslog for accounting. - - -# 3 Limitation -## 3.1 Command size - - TACACS protocol limittation: command + parameter size should smaller than 240 byte. The longer than 240 bytes parts will be drop. - - This limitation is a protocol level, all TACACS implementation have this limittation, include CISCO, ARISTA and Cumulus. - - Both Authorization and Accounting have this limitation. - - When user user a command longer than 240 bytes, only commands within 240 bytes will send to TACACS server. which means Accounting may lost some user input. and Authorization check can only partly check user input. - - -## 3.2 Server count - - Max TACACS server count was hardcoded, default count is 8. - From 8ce62939df45f47fc2d72b6c83199b70ee847926 Mon Sep 17 00:00:00 2001 From: liuh Date: Wed, 28 Jul 2021 16:28:36 +0800 Subject: [PATCH 07/19] Improve design document. --- doc/aaa/TACACS+ Design.md | 262 ++++++++++++++++++++++++++++++++------ 1 file changed, 220 insertions(+), 42 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index 384784e0f7..c2ae111708 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -20,14 +20,10 @@ * [3.2 Server count](#32-server-count) - [4 Design](#design) * [4.1 Authentication](#41-authentication) - * [4.2 Authorization](#42-authorization) - * [4.2.1 Implementation](#421-implementation) - * [4.2.2 ConfigDB Schema](#422-configdb-schema) - * [4.2.3 CLI](#423-cli) - * [4.3 Accounting](#43-accounting) - * [4.3.1 Implementation](#431-implementation) - * [4.3.2 ConfigDB Schema](#432-configdb-schema) - * [4.3.3 CLI](#433-cli) + * [4.2 Authorization Implementation](#42-authorization-implementation) + * [4.3 Accounting Implementation](#43-accountin-implementationg) + * [4.4 ConfigDB Schema](#44-configdb-schema) + * [4.5 CLI](#45-cli) - [5 Error handling](#error-handling) - [6 Serviceability and Debug](#serviceability-and-debug) - [7 Unit Test](#unit-test) @@ -35,12 +31,12 @@ * [7.2 End to end test with testbed](#41-end-to-end-test-with-testbed) * [7.3 Backward compatibility test](#41-backward compatibility test) - [8 References](#references) - * [ RFC8907](#rfc8907) - * [ TACACS+ Authentication](#tacacs+-Authentication) - * [ Bash](#bash) + * [RFC8907](#rfc8907) + * [TACACS+ Authentication](#tacacs+-Authentication) + * [Bash](#bash) * [pam_tacplus](#pam_tacplus) - * [ Auditd](#auditd) - * [ audisp-tacplus](#audisp-tacplus) + * [Auditd](#auditd) + * [audisp-tacplus](#audisp-tacplus) # About this Manual This document provides a detailed description on the requirement and design of TACACS+ protocol support. @@ -63,8 +59,17 @@ This document provides a detailed description on the requirement and design of T - EXEC: user session authorization support. this happen when user login. - Command: user run command in shell. +- Support to set the local authorization and TACACS+ authorization. + - If set both local and TACACS+ authorization, TACACS+ authorization must happened before local authorization. + - If TACACS+ authorization passed but local authorization failed, user can't run the command. This limitation because SONiC is a Linux based system, and local authorization using Linux permission control. + +- Authorization for root is only specified in local. + - Failover: - - Authorization will happen before execute, if remote TACACS server not available, use local group based authorization as failover. + - If a TACACS+ server authorization fails, the next TACACS+ server authorization will be performed. + - When all remote TACACS+ server not accessible, TACACS+ authorization will failed. + - When set TACACS+ as only authorization method, if all TACACS+ server not accessible, user cannot run any command on SONiC device. + ## 1.3 Accounting - Accounting is the action of recording what a user is doing, and/or has done. @@ -100,9 +105,8 @@ This document provides a detailed description on the requirement and design of T ## 2.1 SONiC CLI - Enable/Disable TACACS Authorization/Accounting command ``` - config aaa authorization tacacs local - config aaa authorization local - config aaa accounting tacacs local + config aaa authorization {local | tacacs+} + config aaa accounting {local | tacacs+} config aaa accounting local ``` @@ -149,12 +153,14 @@ This document provides a detailed description on the requirement and design of T # 4 Design ## 4.1 Authentication - For Authentication design detail please check [TACACS+ Authentication](#TACPLUS-Authentication) -## 4.2 Authorization -### 4.2.1 Implementation - - [ Bash](#bash) will be patched to support plugin when user execute disk command. + +## 4.2 Authorization Implementation + - Pam_tacplus will provide Authorization for account management, for more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) + - [Bash](#bash) will be patched to support plugin when user execute disk command. - A bash plugin to support TACACS+ authorization. - - Use TACACS+ setting from TACACS+ authentication. - - Use libtac library from [pam_tacplus](#pam_tacplus) for TACACS+ protocol. + - Use TACACS+ setting from TACACS+ authentication. + - Use libtac library from [pam_tacplus](#pam_tacplus) for TACACS+ protocol. + - Bash configration file for root user not enable this plugin, root user only use local Authorization. The following figure show how Bash plugin work with TACACS+ server. ``` @@ -203,18 +209,13 @@ SSH/Console SONiC Device TACACS+ Server ``` -### 4.2.2 ConfigDB Schema - The hostcfg enforcer reads data from configDB to configure host environment. - The AAA config module in hostcfg enforcer is responsible for modifying Bash configuration files in host. - For how TACACS+ config file update please check [TACACS+ Authentication](#TACPLUS-Authentication) -The following figure show how Bash config an TACACS+ config update by ConfigDB. +The following figure show how Bash config and TACACS+ config update by ConfigDB. ``` - +-------+ +---------+ - | SSH | | Console | - +---+---+ +----+----+ - | | -+----------v-----------v---------+ +---------------------+ ++--------------------------------+ +---------------------+ | Bash | | | | +-------------------------+ | | +--------------+ | | | Bash config file <-------------+ Authorization| | @@ -226,8 +227,8 @@ The following figure show how Bash config an TACACS+ config update by ConfigDB. | +-------------------------+ | | +--------------+ | | | | | | | | HostCfg Enforcer | -+---------------+----------------+ +----------^----------+ - | ++--------------------------------+ +----------^----------+ + | +---------+ +-------+--------+ | | | | | CLI +----------------------> ConifgDB | @@ -235,14 +236,91 @@ The following figure show how Bash config an TACACS+ config update by ConfigDB. +---------+ +----------------+ ``` -### 4.2.3 CLI +## 4.3 Accounting Implementation + - [Auditd](#auditd) will enable on SONiC to provide syscall event for accounting. + - [audisp-tacplus](#audisp-tacplus) is a Auditd plugin that support TACACS+ Acounting (user command). + - Pam_tacplus will provide session accounting, for more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) + +The following figure show how audisp-tacplus work with TACACS+ server. +``` + +-----------------+ + | Syscall Event | + +-------+---------+ + | ++----------------v---------------+ +---------------------+ +| Auditd | | | +| | | | +| +-------------------------+ | | | +| | audisp-tacplus +----------> TACACS+ server | +| +-------------------------+ | | | +| | | | +| | | | ++---------------+----------------+ +---------------------+ +``` + + + - The hostcfg enforcer reads data from configDB to configure host environment. + - The AAA config module in hostcfg enforcer is responsible for modifying Auditd configuration files in host. + - For how TACACS+ config file update please check [TACACS+ Authentication](#TACPLUS-Authentication) + +The following figure show how Auditd config an TACACS+ config update by ConfigDB. +``` ++--------------------------------+ +---------------------+ +| Auditd | | | +| +-------------------------+ | | +--------------+ | +| | Auditd config file <-------------+ Accounting | +| | | | | | Config | | +| +-------------------------+ | | +--------------+ | +| | | | +| +-------------------------+ | | +--------------+ | +| | TACACS+ config file <-------------+ AAA Config | | +| +-------------------------+ | | +--------------+ | +| | | | +| | | HostCfg Enforcer | ++--------------------------------+ +----------^----------+ + | + +---------+ +-------+--------+ + | | | | + | CLI +----------------------> ConifgDB | + | | | | + +---------+ +----------------+ +``` + + +## 4.4 ConfigDB Schema + - TACACS+ Authorization and Accounting will use existing tables + - AAA Table. + - TACPLUS Table + - TACPLUS_SERVER Table. + + - For more detail of existing tables, please check [TACACS+ Authentication](#TACPLUS-Authentication) + +## 4.5 CLI - The existing TACACS+ server config command will not change. - Add following command to enable/disable TACACS+ authorizarion. ``` + // authorization with TACACS+ server and local config aaa authorization tacacs local + + // authorization with TACACS+ server + config aaa authorization tacacs + + // authorization with TACACS+ local config aaa authorization local ``` + - Add following command to enable/disable TACACS+ accounting. +``` + // accounting with TACACS+ server and local syslog + config aaa accounting tacacs local + + // accounting with TACACS+ server + config aaa accounting tacacs + + // accounting with local syslog + config aaa accounting local +``` + - When config AAA authorization with "no" prefix, SONiC will use local authorization, so following commands have same effect ``` no config aaa authorization tacacs local @@ -250,24 +328,124 @@ The following figure show how Bash config an TACACS+ config update by ConfigDB. config aaa authorization local ``` -## 4.3 Accounting -### 4.3.1 Implementation -### 4.3.2 ConfigDB Schema -### 4.3.3 CLI - + - When config AAA accounting with "no" prefix, SONiC will use stop accounting, following command have same effect. +``` + no config aaa authorization tacacs local + no config aaa authorization tacacs + no config aaa authorization local +``` # 5 Error handling -[TODO]: add more detail. + - Bash plugin for authorization will return error code [Bash](#bash). and patched Bash will: + - Output error log to syslog. + - Output error message to stdout. + - [audisp-tacplus](#audisp-tacplus) will return errors as per [Auditd](#auditd) respectively. # 6 Serviceability and Debug -[TODO]: add more detail. + - The Bash plugin and [audisp-tacplus](#audisp-tacplus) can be debugged by enabling the debug +field of the AAA|authentication key. (Please see ConfigDB AAA Table +Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). # 7 Unit Test ## 7.1 Unit test for source code -[TODO]: add more detail. + - All patch code in Bash and Bash plugin should have 100% code coverage. + - Bash plugin test, all TACACS+ server not reachable test: +``` + Verify TACACS+ authorization failed. +``` + + - Bash plugin test, partial TACACS+ server accessable, and user command config as allowed on all server. +``` + Verify TACACS+ authorization passed. +``` + + - Bash plugin test, partial TACACS+ server accessable, and user command config as reject on all server. +``` + Verify TACACS+ authorization rejected. +``` + + - Bash plugin test, partial TACACS+ server accessable, and user command config as reject on accessable server, and allow on not accessable server. +``` + Verify TACACS+ authorization rejected. +``` + + - Bash plugin test, partial TACACS+ server accessable, and user command config as allow on accessable server, and reject on not accessable server. +``` + Verify TACACS+ authorization passed. +``` + + - [audisp-tacplus](#audisp-tacplus) test, all TACACS+ server accessable. +``` + Verify TACACS+ accounting succeeded. +``` + + - [audisp-tacplus](#audisp-tacplus) test, all TACACS+ server not accessable. +``` + Verify plugin return correct error code. +``` + + - [audisp-tacplus](#audisp-tacplus) test, partial TACACS+ server accessable. +``` + Verify TACACS+ accounting succeeded. +``` + + - [audisp-tacplus](#audisp-tacplus) test, user command longer than 240 bytes. +``` + Verify TACACS+ accounting succeeded. + Verify only 240 bytes of user command send to TACACS+ server side. +``` + + - [audisp-tacplus](#audisp-tacplus) test, user command+parameter longer than 240 bytes. +``` + Verify TACACS+ accounting succeeded. + Verify only 240 bytes of user command+parameter send to TACACS+ server side. +``` + ## 7.2 End to end test -[TODO]: add more detail. + +- config aaa authorization with TACACS+ only: +``` + Verify TACACS+ user run command in server side whitelist: + If command have local permission, user can run command. + If command not have local permission, user can't run command. + Verify TACACS+ user can't run command not in server side whitelist. +``` + +- config aaa authorization with TACACS+ and local: +``` + Verify TACACS+ user run command in server side whitelist: + If command have local permission, user can run command. + If command not have local permission, user can't run command. + Verify TACACS+ user can't run command not in server side whitelist. +``` + +- config aaa authorization with TACACS+ only and server not accessable: +``` + Verify TACACS+ user can't run any command. +``` + +- config aaa authorization with TACACS+ and local, but server not accessable: +``` + Verify TACACS+ user can run command not in server side whitelist but have permission in local. + Verify TACACS+ user can't run command in server side whitelist but not have permission in local. +``` + +- config aaa authorization with local: +``` + Verify TACACS+ user can run command if have permission in local. + Verify TACACS+ user can't run command if not have permission in local. +``` + +[TODO]: add more test case. + ## 7.3 Backward compatibility test -[TODO]: add more detail. + +- config disable aaa authorization: +``` + Verify TACACS+ user can run command if have permission in local. + Verify TACACS+ user can't run command if not have permission in local. +``` + +[TODO]: add more test case. # 8 References ## RFC8907 From 39e13769aeb5ffba1e8530d9aa02b9748523e11d Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Thu, 29 Jul 2021 13:24:08 +0800 Subject: [PATCH 08/19] Update design document. --- doc/aaa/TACACS+ Design.md | 117 ++++++++++++++++++++++++++++---------- 1 file changed, 88 insertions(+), 29 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index c2ae111708..eeddd52aa9 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -14,10 +14,11 @@ * [2.1 SONiC CLI](#21-sonic-cli) * [2.2 Config DB](#22-config-db) * [2.3 Counter](#23-counter) - * [2.4 System log](#24-system-log) + * [2.4 Syslog](#24-syslog) - [3 Limitation](#limitation) * [3.1 Command size](#31-command-size) * [3.2 Server count](#32-server-count) + * [3.3 Local authorization](#32-local-authorization) - [4 Design](#design) * [4.1 Authentication](#41-authentication) * [4.2 Authorization Implementation](#42-authorization-implementation) @@ -37,6 +38,7 @@ * [pam_tacplus](#pam_tacplus) * [Auditd](#auditd) * [audisp-tacplus](#audisp-tacplus) + * [tacplus-auth](#tacplus-auth) # About this Manual This document provides a detailed description on the requirement and design of TACACS+ protocol support. @@ -51,25 +53,25 @@ This document provides a detailed description on the requirement and design of T - Authorization when: - User login to SONiC host. - User run any executable file or script on SONiC host. - - The full path and parameters will be send to TACACS+ server side for authorization. - - For recursive command/script, only the top level command have authorization. - - No authorization for bash builtin command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. + - The full path and parameters will be send to TACACS+ server side for authorization. + - For recursive command/script, only the top level command have authorization. + - No authorization for bash builtin command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. + - Commands entered through the console not have authorization by default. - Supported Authorization types: - - EXEC: user session authorization support. this happen when user login. - - Command: user run command in shell. + - EXEC: user session authorization support. this happen when user login. + - Command: user run command in shell. - Support to set the local authorization and TACACS+ authorization. - - If set both local and TACACS+ authorization, TACACS+ authorization must happened before local authorization. - - If TACACS+ authorization passed but local authorization failed, user can't run the command. This limitation because SONiC is a Linux based system, and local authorization using Linux permission control. - -- Authorization for root is only specified in local. + - Local authorization method is based on Linux permission control. + - Local authorization can't be disabled, and must be the last authorization method, for detail please check [3.3 Local authorization](#32-local-authorization) + - Authorization for root and admin can only specified as local. + - TACACS+ authorization method will send to TACACS+ server for authorization, TACACS+ server should setup permit/deny rules. - Failover: - - If a TACACS+ server authorization fails, the next TACACS+ server authorization will be performed. + - If a TACACS+ server not accessable, the next TACACS+ server authorization will be performed. - When all remote TACACS+ server not accessible, TACACS+ authorization will failed. - - When set TACACS+ as only authorization method, if all TACACS+ server not accessible, user cannot run any command on SONiC device. - + - When set TACACS+ as the only authorization method, if all TACACS+ server not accessible, user cannot run any command on SONiC device. ## 1.3 Accounting - Accounting is the action of recording what a user is doing, and/or has done. @@ -141,21 +143,23 @@ This document provides a detailed description on the requirement and design of T # 3 Limitation ## 3.1 Command size - - TACACS protocol limittation: command + parameter size should smaller than 240 byte. The longer than 240 bytes parts will be drop. + - TACACS protocol limitation: command + parameter size should smaller than 240 byte. The longer than 240 bytes parts will be drop. - This limitation is a protocol level, all TACACS implementation have this limittation, include CISCO, ARISTA and Cumulus. - Both Authorization and Accounting have this limitation. - When user user a command longer than 240 bytes, only commands within 240 bytes will send to TACACS server. which means Accounting may lost some user input. and Authorization check can only partly check user input. - ## 3.2 Server count - Max TACACS server count was hardcoded, default count is 8. +## 3.1 Local authorization + - Operation system limitation: SONiC based on linux system, so permission to execute local command are managed by Linux file permission control. This means TACACS+ authorization can't config to disable 'local' authorization, and local authorization must be last authorization in authorization method list. + # 4 Design ## 4.1 Authentication - - For Authentication design detail please check [TACACS+ Authentication](#TACPLUS-Authentication) + - For Authentication design, please check [TACACS+ Authentication](#TACPLUS-Authentication) ## 4.2 Authorization Implementation - - Pam_tacplus will provide Authorization for account management, for more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) + - Pam_tacplus will provide Authorization for login (account management), please check [TACACS+ Authentication](#TACPLUS-Authentication) - [Bash](#bash) will be patched to support plugin when user execute disk command. - A bash plugin to support TACACS+ authorization. - Use TACACS+ setting from TACACS+ authentication. @@ -211,7 +215,7 @@ SSH/Console SONiC Device TACACS+ Server - The hostcfg enforcer reads data from configDB to configure host environment. - The AAA config module in hostcfg enforcer is responsible for modifying Bash configuration files in host. - - For how TACACS+ config file update please check [TACACS+ Authentication](#TACPLUS-Authentication) + - For how TACACS+ config file update, please check [TACACS+ Authentication](#TACPLUS-Authentication) The following figure show how Bash config and TACACS+ config update by ConfigDB. ``` @@ -236,10 +240,14 @@ The following figure show how Bash config and TACACS+ config update by ConfigDB. +---------+ +----------------+ ``` + - [tacplus-auth](#tacplus-auth) is another open source project for TACACS+ authorization, not use this solution because following limitation: + - Using symbol link for command authorization, need create new symbol link in local and update remote server to support new command. + - Using rbash to restrict user can only access symbol linked commands, which also disable some useful bash feature. + ## 4.3 Accounting Implementation - [Auditd](#auditd) will enable on SONiC to provide syscall event for accounting. - [audisp-tacplus](#audisp-tacplus) is a Auditd plugin that support TACACS+ Acounting (user command). - - Pam_tacplus will provide session accounting, for more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) + - Pam_tacplus will provide session accounting, please check [TACACS+ Authentication](#TACPLUS-Authentication) The following figure show how audisp-tacplus work with TACACS+ server. ``` @@ -261,7 +269,7 @@ The following figure show how audisp-tacplus work with TACACS+ server. - The hostcfg enforcer reads data from configDB to configure host environment. - The AAA config module in hostcfg enforcer is responsible for modifying Auditd configuration files in host. - - For how TACACS+ config file update please check [TACACS+ Authentication](#TACPLUS-Authentication) + - For how TACACS+ config file update, please check [TACACS+ Authentication](#TACPLUS-Authentication) The following figure show how Auditd config an TACACS+ config update by ConfigDB. ``` @@ -294,7 +302,7 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB - TACPLUS_SERVER Table. - For more detail of existing tables, please check [TACACS+ Authentication](#TACPLUS-Authentication) - + ## 4.5 CLI - The existing TACACS+ server config command will not change. - Add following command to enable/disable TACACS+ authorizarion. @@ -410,7 +418,12 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ user can't run command not in server side whitelist. ``` -- config aaa authorization with TACACS+ and local: +- config aaa authorization with TACACS+ only and all server not accessable: +``` + Verify TACACS+ user can't run any command. +``` + +- config aaa authorization with TACACS+ only and some server not accessable: ``` Verify TACACS+ user run command in server side whitelist: If command have local permission, user can run command. @@ -418,9 +431,12 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ user can't run command not in server side whitelist. ``` -- config aaa authorization with TACACS+ only and server not accessable: +- config aaa authorization with TACACS+ and local: ``` - Verify TACACS+ user can't run any command. + Verify TACACS+ user run command in server side whitelist: + If command have local permission, user can run command. + If command not have local permission, user can't run command. + Verify TACACS+ user can't run command not in server side whitelist. ``` - config aaa authorization with TACACS+ and local, but server not accessable: @@ -435,17 +451,58 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ user can't run command if not have permission in local. ``` -[TODO]: add more test case. +- config aaa accounting with TACACS+ only: +``` + Verify TACACS+ server have user command record. + Verify TACACS+ server not have any command record which not run by user. +``` + +- config aaa accounting with TACACS+ only and all server not accessable: +``` + Verify local user still can run command without any issue. +``` + +- config aaa accounting with TACACS+ only and some server not accessable: +``` + Verify syslog have user command record. + Verify syslog not have any command record which not run by user. +``` + +- config aaa accounting with TACACS+ and local: +``` + Verify TACACS+ server and syslog have user command record. + Verify TACACS+ server and syslog not have any command record which not run by user. +``` + +- config aaa accounting with TACACS+ and local, but all server not accessable: +``` + Verify TACACS+ user can run command not in server side whitelist but have permission in local. + Verify TACACS+ user can't run command in server side whitelist but not have permission in local. +``` + +- config aaa accounting with local: +``` + Verify syslog have user command record. + Verify syslog not have any command record which not run by user. +``` + ## 7.3 Backward compatibility test -- config disable aaa authorization: +- config disable aaa authorization and accounting: ``` - Verify TACACS+ user can run command if have permission in local. - Verify TACACS+ user can't run command if not have permission in local. + Verify GME user can login to device successfully. + Verify GME user can run command if have permission in local. + Verify GME user can login to device successfully. + Verify admin user can login to device successfully. + Verify admin user can run command if have permission in local. + Verify admin user can't run command if not have permission in local. ``` -[TODO]: add more test case. +- config enable aaa authorization and accounting, and run all existing aaa authencation test case: +``` + Verify all test case not break. +``` # 8 References ## RFC8907 @@ -460,3 +517,5 @@ https://github.com/kravietz/pam_tacplus http://man7.org/linux/man-pages/man8/auditd.8.html ## audisp-tacplus https://github.com/daveolson53/audisp-tacplus +## tacplus-auth +https://github.com/daveolson53/tacplus-auth From ecc6f3e988fba4c0e7429196dae51364b18a90fa Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Thu, 29 Jul 2021 16:40:41 +0800 Subject: [PATCH 09/19] Fix section numbers. --- doc/aaa/TACACS+ Design.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index eeddd52aa9..35a113d8e3 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -151,7 +151,7 @@ This document provides a detailed description on the requirement and design of T ## 3.2 Server count - Max TACACS server count was hardcoded, default count is 8. -## 3.1 Local authorization +## 3.3 Local authorization - Operation system limitation: SONiC based on linux system, so permission to execute local command are managed by Linux file permission control. This means TACACS+ authorization can't config to disable 'local' authorization, and local authorization must be last authorization in authorization method list. # 4 Design From ef48e3db38177902bf8b9a09c0df99b573bcb41c Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Thu, 29 Jul 2021 17:44:32 +0800 Subject: [PATCH 10/19] Improve document. --- doc/aaa/TACACS+ Design.md | 81 ++++++++++++++++++++------------------- 1 file changed, 42 insertions(+), 39 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index 35a113d8e3..6ec1402601 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -55,7 +55,7 @@ This document provides a detailed description on the requirement and design of T - User run any executable file or script on SONiC host. - The full path and parameters will be send to TACACS+ server side for authorization. - For recursive command/script, only the top level command have authorization. - - No authorization for bash builtin command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. + - No authorization for bash built-in command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. - Commands entered through the console not have authorization by default. - Supported Authorization types: @@ -69,7 +69,7 @@ This document provides a detailed description on the requirement and design of T - TACACS+ authorization method will send to TACACS+ server for authorization, TACACS+ server should setup permit/deny rules. - Failover: - - If a TACACS+ server not accessable, the next TACACS+ server authorization will be performed. + - If a TACACS+ server not accessible, the next TACACS+ server authorization will be performed. - When all remote TACACS+ server not accessible, TACACS+ authorization will failed. - When set TACACS+ as the only authorization method, if all TACACS+ server not accessible, user cannot run any command on SONiC device. @@ -119,7 +119,7 @@ This document provides a detailed description on the requirement and design of T ``` ## 2.2 Config DB - - TACACS AAA are fully configable by config DB. + - TACACS AAA are fully configurable by config DB. ## 2.3 Counter - Support AAA counter: @@ -144,7 +144,7 @@ This document provides a detailed description on the requirement and design of T # 3 Limitation ## 3.1 Command size - TACACS protocol limitation: command + parameter size should smaller than 240 byte. The longer than 240 bytes parts will be drop. - - This limitation is a protocol level, all TACACS implementation have this limittation, include CISCO, ARISTA and Cumulus. + - This limitation is a protocol level, all TACACS implementation have this limitation, include CISCO, ARISTA and Cumulus. - Both Authorization and Accounting have this limitation. - When user user a command longer than 240 bytes, only commands within 240 bytes will send to TACACS server. which means Accounting may lost some user input. and Authorization check can only partly check user input. @@ -152,7 +152,7 @@ This document provides a detailed description on the requirement and design of T - Max TACACS server count was hardcoded, default count is 8. ## 3.3 Local authorization - - Operation system limitation: SONiC based on linux system, so permission to execute local command are managed by Linux file permission control. This means TACACS+ authorization can't config to disable 'local' authorization, and local authorization must be last authorization in authorization method list. + - Operation system limitation: SONiC based on Linux system, so permission to execute local command are managed by Linux file permission control. This means when enable both TACACS+ authorization and local authorization, local authorization will always happen after TACACS+ authorization. # 4 Design ## 4.1 Authentication @@ -164,7 +164,7 @@ This document provides a detailed description on the requirement and design of T - A bash plugin to support TACACS+ authorization. - Use TACACS+ setting from TACACS+ authentication. - Use libtac library from [pam_tacplus](#pam_tacplus) for TACACS+ protocol. - - Bash configration file for root user not enable this plugin, root user only use local Authorization. + - Bash configuration file for root user not enable this plugin, root user only use local Authorization. The following figure show how Bash plugin work with TACACS+ server. ``` @@ -183,7 +183,7 @@ The following figure show how Bash plugin work with TACACS+ server. +---------------+----------------+ +---------------------+ ``` -Following is the sequence of events during TACACS+ authoriztaion user command: +Following is the sequence of events during TACACS+ authorization user command: ``` SSH/Console SONiC Device TACACS+ Server @@ -246,7 +246,7 @@ The following figure show how Bash config and TACACS+ config update by ConfigDB. ## 4.3 Accounting Implementation - [Auditd](#auditd) will enable on SONiC to provide syscall event for accounting. - - [audisp-tacplus](#audisp-tacplus) is a Auditd plugin that support TACACS+ Acounting (user command). + - [audisp-tacplus](#audisp-tacplus) is a Auditd plugin that support TACACS+ Accounting (user command). - Pam_tacplus will provide session accounting, please check [TACACS+ Authentication](#TACPLUS-Authentication) The following figure show how audisp-tacplus work with TACACS+ server. @@ -305,7 +305,7 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB ## 4.5 CLI - The existing TACACS+ server config command will not change. - - Add following command to enable/disable TACACS+ authorizarion. + - Add following command to enable/disable TACACS+ authorization. ``` // authorization with TACACS+ server and local config aaa authorization tacacs local @@ -329,23 +329,19 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB config aaa accounting local ``` - - When config AAA authorization with "no" prefix, SONiC will use local authorization, so following commands have same effect + - Following command will disable authorization. ``` - no config aaa authorization tacacs local - no config aaa authorization local config aaa authorization local ``` - - When config AAA accounting with "no" prefix, SONiC will use stop accounting, following command have same effect. + - Following command will disable accounting ``` - no config aaa authorization tacacs local - no config aaa authorization tacacs - no config aaa authorization local + config aaa authorization disable ``` # 5 Error handling - Bash plugin for authorization will return error code [Bash](#bash). and patched Bash will: - Output error log to syslog. - - Output error message to stdout. + - Output error message to stderr. - [audisp-tacplus](#audisp-tacplus) will return errors as per [Auditd](#auditd) respectively. # 6 Serviceability and Debug @@ -361,37 +357,37 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ authorization failed. ``` - - Bash plugin test, partial TACACS+ server accessable, and user command config as allowed on all server. + - Bash plugin test, partial TACACS+ server accessible, and user command config as allowed on all server. ``` Verify TACACS+ authorization passed. ``` - - Bash plugin test, partial TACACS+ server accessable, and user command config as reject on all server. + - Bash plugin test, partial TACACS+ server accessible, and user command config as reject on all server. ``` Verify TACACS+ authorization rejected. ``` - - Bash plugin test, partial TACACS+ server accessable, and user command config as reject on accessable server, and allow on not accessable server. + - Bash plugin test, partial TACACS+ server accessible, and user command config as reject on accessible server, and allow on not accessible server. ``` Verify TACACS+ authorization rejected. ``` - - Bash plugin test, partial TACACS+ server accessable, and user command config as allow on accessable server, and reject on not accessable server. + - Bash plugin test, partial TACACS+ server accessible, and user command config as allow on accessible server, and reject on not accessible server. ``` Verify TACACS+ authorization passed. ``` - - [audisp-tacplus](#audisp-tacplus) test, all TACACS+ server accessable. + - [audisp-tacplus](#audisp-tacplus) test, all TACACS+ server accessible. ``` Verify TACACS+ accounting succeeded. ``` - - [audisp-tacplus](#audisp-tacplus) test, all TACACS+ server not accessable. + - [audisp-tacplus](#audisp-tacplus) test, all TACACS+ server not accessible. ``` Verify plugin return correct error code. ``` - - [audisp-tacplus](#audisp-tacplus) test, partial TACACS+ server accessable. + - [audisp-tacplus](#audisp-tacplus) test, partial TACACS+ server accessible. ``` Verify TACACS+ accounting succeeded. ``` @@ -410,7 +406,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). ## 7.2 End to end test -- config aaa authorization with TACACS+ only: +- config AAA authorization with TACACS+ only: ``` Verify TACACS+ user run command in server side whitelist: If command have local permission, user can run command. @@ -418,12 +414,16 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ user can't run command not in server side whitelist. ``` -- config aaa authorization with TACACS+ only and all server not accessable: +- config AAA authorization with TACACS+ only: + - when user login server are accessible. + - user run some command in whitelist and server are accessible. + - then all server not accessible, and run some command ``` - Verify TACACS+ user can't run any command. + Verify when server are accessible, TACACS+ user can run command in server side whitelist. + Verify when server are not accessible, TACACS+ user can't run any command. ``` -- config aaa authorization with TACACS+ only and some server not accessable: +- config AAA authorization with TACACS+ only and some server not accessible: ``` Verify TACACS+ user run command in server side whitelist: If command have local permission, user can run command. @@ -431,7 +431,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ user can't run command not in server side whitelist. ``` -- config aaa authorization with TACACS+ and local: +- config AAA authorization with TACACS+ and local: ``` Verify TACACS+ user run command in server side whitelist: If command have local permission, user can run command. @@ -439,48 +439,51 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ user can't run command not in server side whitelist. ``` -- config aaa authorization with TACACS+ and local, but server not accessable: +- config AAA authorization with TACACS+ and local, but server not accessible: ``` Verify TACACS+ user can run command not in server side whitelist but have permission in local. Verify TACACS+ user can't run command in server side whitelist but not have permission in local. ``` -- config aaa authorization with local: +- config AAA authorization with local: ``` Verify TACACS+ user can run command if have permission in local. Verify TACACS+ user can't run command if not have permission in local. ``` -- config aaa accounting with TACACS+ only: +- config AAA accounting with TACACS+ only: ``` Verify TACACS+ server have user command record. Verify TACACS+ server not have any command record which not run by user. ``` -- config aaa accounting with TACACS+ only and all server not accessable: +- config AAA accounting with TACACS+ only: + - when user login server are accessible. + - user run some command in whitelist and server are accessible. + - then all server not accessible, and run some command ``` Verify local user still can run command without any issue. ``` -- config aaa accounting with TACACS+ only and some server not accessable: +- config AAA accounting with TACACS+ only and some server not accessible: ``` Verify syslog have user command record. Verify syslog not have any command record which not run by user. ``` -- config aaa accounting with TACACS+ and local: +- config AAA accounting with TACACS+ and local: ``` Verify TACACS+ server and syslog have user command record. Verify TACACS+ server and syslog not have any command record which not run by user. ``` -- config aaa accounting with TACACS+ and local, but all server not accessable: +- config AAA accounting with TACACS+ and local, but all server not accessible: ``` Verify TACACS+ user can run command not in server side whitelist but have permission in local. Verify TACACS+ user can't run command in server side whitelist but not have permission in local. ``` -- config aaa accounting with local: +- config AAA accounting with local: ``` Verify syslog have user command record. Verify syslog not have any command record which not run by user. @@ -489,7 +492,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). ## 7.3 Backward compatibility test -- config disable aaa authorization and accounting: +- config disable AAA authorization and accounting: ``` Verify GME user can login to device successfully. Verify GME user can run command if have permission in local. @@ -499,7 +502,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify admin user can't run command if not have permission in local. ``` -- config enable aaa authorization and accounting, and run all existing aaa authencation test case: +- config enable AAA authorization and accounting, and run all existing AAA authentication test case: ``` Verify all test case not break. ``` From 241e35d7d6b3d2b75774acc0754d653943bf7add Mon Sep 17 00:00:00 2001 From: liuh Date: Wed, 4 Aug 2021 14:27:01 +0800 Subject: [PATCH 11/19] Update document according to EOS AAA behavior. --- doc/aaa/TACACS+ Design.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index 6ec1402601..ed4c94fe7f 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -65,9 +65,11 @@ This document provides a detailed description on the requirement and design of T - Support to set the local authorization and TACACS+ authorization. - Local authorization method is based on Linux permission control. - Local authorization can't be disabled, and must be the last authorization method, for detail please check [3.3 Local authorization](#32-local-authorization) - - Authorization for root and admin can only specified as local. + - When TACACS+ server not accessible, TACACS+ authorization will failed, then: + - If user login as local user, for example root or admin user, then local authorization will allow user run command with Linux permission control. + - If user login as TACACS+ user, for example domain user, then local authorization will disabled, and user can't run any command. - TACACS+ authorization method will send to TACACS+ server for authorization, TACACS+ server should setup permit/deny rules. - + - Failover: - If a TACACS+ server not accessible, the next TACACS+ server authorization will be performed. - When all remote TACACS+ server not accessible, TACACS+ authorization will failed. From dc8e5e0da17f87da52bd71ffff6b19d883eab8a7 Mon Sep 17 00:00:00 2001 From: liuh Date: Fri, 6 Aug 2021 15:12:23 +0800 Subject: [PATCH 12/19] Improve document. --- doc/aaa/TACACS+ Design.md | 163 ++++++++++++++++++++------------------ 1 file changed, 86 insertions(+), 77 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index ed4c94fe7f..6bf4cb0ce6 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -1,15 +1,14 @@ -# SONiC TACACS+ protocol Design +# SONiC TACACS+ improve # Table of Contents - [Table of Contents](#table-of-contents) - [About this Manual](#about-this-manual) - [1 Functional Requirements](#1-functional-requirement) - * [1.1 Authentication](#11-authentication) - * [1.2 Authorization](#12-authorization) - * [1.3 Accounting](#13-accounting) - * [1.4 User script](#14-user-script) - * [1.5 Docker support](#15-docker-support) - * [1.6 Multiple TACACS server](#16-multiple-tacas-server) + * [1.1 User command authorization](#11-user-command-authorization) + * [1.2 User command accounting](#12-user-command-accounting) + * [1.3 User script](#13-user-script) + * [1.4 Docker support](#14-docker-support) + * [1.5 Multiple TACACS server](#15-multiple-tacas-server) - [2 Configuration and Management Requirements](#2-configuration-and-management-requirements) * [2.1 SONiC CLI](#21-sonic-cli) * [2.2 Config DB](#22-config-db) @@ -28,9 +27,9 @@ - [5 Error handling](#error-handling) - [6 Serviceability and Debug](#serviceability-and-debug) - [7 Unit Test](#unit-test) - * [7.1 Unit test for source code](#41-unit-test-for-source-code) - * [7.2 End to end test with testbed](#41-end-to-end-test-with-testbed) - * [7.3 Backward compatibility test](#41-backward compatibility test) + * [7.1 Unit test for source code](#71-unit-test-for-source-code) + * [7.2 End to end test with testbed](#72-end-to-end-test-with-testbed) + * [7.3 Backward compatibility test](#73-backward compatibility test) - [8 References](#references) * [RFC8907](#rfc8907) * [TACACS+ Authentication](#tacacs+-Authentication) @@ -41,66 +40,65 @@ * [tacplus-auth](#tacplus-auth) # About this Manual -This document provides a detailed description on the requirement and design of TACACS+ protocol support. +This document is beased on [TACACS+ Authentication](#TACPLUS-Authentication), and provides a detailed description on the new features for improve TACACS+ support. -# 1 Functional Requirement -## 1.1 Authentication -- Authentication when user login to SONiC host. -- For more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) - - -## 1.2 Authorization -- Authorization when: - - User login to SONiC host. - - User run any executable file or script on SONiC host. - - The full path and parameters will be send to TACACS+ server side for authorization. - - For recursive command/script, only the top level command have authorization. - - No authorization for bash built-in command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. - - Commands entered through the console not have authorization by default. - -- Supported Authorization types: - - EXEC: user session authorization support. this happen when user login. - - Command: user run command in shell. - -- Support to set the local authorization and TACACS+ authorization. - - Local authorization method is based on Linux permission control. - - Local authorization can't be disabled, and must be the last authorization method, for detail please check [3.3 Local authorization](#32-local-authorization) - - When TACACS+ server not accessible, TACACS+ authorization will failed, then: - - If user login as local user, for example root or admin user, then local authorization will allow user run command with Linux permission control. - - If user login as TACACS+ user, for example domain user, then local authorization will disabled, and user can't run any command. - - TACACS+ authorization method will send to TACACS+ server for authorization, TACACS+ server should setup permit/deny rules. - -- Failover: - - If a TACACS+ server not accessible, the next TACACS+ server authorization will be performed. - - When all remote TACACS+ server not accessible, TACACS+ authorization will failed. - - When set TACACS+ as the only authorization method, if all TACACS+ server not accessible, user cannot run any command on SONiC device. + - SONiC currently supported TACACS+ features: + - Authentication. + - User session authorization. + - User session accounting. + - User command authorization with local permission. + + - New features: + - User command authorization with TACACS+ server. + - User command accounting with TACACS+ server. -## 1.3 Accounting +# 1 Functional Requirement +## 1.1 User command authorization + - Authorization when user run any executable file or script on SONiC host. + - The full path and parameters will be send to TACACS+ server side for authorization. + - For recursive command/script, only the top level command have authorization. + - No authorization for bash built-in command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. + + - TACACS+ authorization is configurable: + - TACACS+ authorization can be enable/disable. + - TACACS+ authorization method will communicate with TACACS+ server for authorization, TACACS+ server should setup permit/deny rules. + + - Failover: + - If a TACACS+ server not accessible, the next TACACS+ server authorization will be performed. + - When all remote TACACS+ server not accessible, TACACS+ authorization will failed. + - When TACACS+ authorization failed, fallover is configurable: + - Disable local authorization as failover, then user can't run any command. + - Enable local authorization as failover, then user can run command with local authorization. + - For local authorization, please check [TACACS+ Authentication](#TACPLUS-Authentication). + +## 1.2 User command accounting - Accounting is the action of recording what a user is doing, and/or has done. - Following event will be accounted: - - User login to SONiC host. - - User logout. - - User run command on host: - - Command start run. - - Command finish. + - Command start event. + - Command finish event. + + - User command in Docker will not be accounted. + - User command in docker actually run by docker service, so we can't identify if command are run by user or system service. -- User command in Docker will not be accounted. - - User command in docker actually run by docker service, so we can't identify if command are run by user or system service. - -- Failover: - - Use syslog as backup when remote TACACS not not accessible from SONiC. + - Support TACACS+ accounting and local accounting: + - TACACS+ will send event to TACACS+ server, and communication will be encrypted, for more detail please check [RFC8907](#rfc8907). + - Local accounting will save event to syslog. + - Both TACACS+ accounting and local accounting are configurable. + - User secrets not exist in accounting event: + - Use regex in /etc/sudoers PASSWD_CMDS to identify user secrets. + - User secret will be replaced with ***. -## 1.4 User script +## 1.3 User script - User can create and run their own script. - If user create a script but TACACS+ service side not have configuration to allow user run this script, user script will be blocked by authorization. -## 1.5 Docker support +## 1.4 Docker support - Docker exec command will be covered by Authorization and Accounting. - Any command run inside docker container will not covered by Authorization and Accounting. -## 1.6 Multiple TACACS server +## 1.5 Multiple TACACS server - Support config multiple TACACS server. - When a server not accessible, will try next server as backup. - When all server not accessible from SONiC, use native failover solution. @@ -110,8 +108,7 @@ This document provides a detailed description on the requirement and design of T - Enable/Disable TACACS Authorization/Accounting command ``` config aaa authorization {local | tacacs+} - config aaa accounting {local | tacacs+} - config aaa accounting local + config aaa accounting {local | tacacs+ | disable} ``` - Counter command @@ -157,11 +154,7 @@ This document provides a detailed description on the requirement and design of T - Operation system limitation: SONiC based on Linux system, so permission to execute local command are managed by Linux file permission control. This means when enable both TACACS+ authorization and local authorization, local authorization will always happen after TACACS+ authorization. # 4 Design -## 4.1 Authentication - - For Authentication design, please check [TACACS+ Authentication](#TACPLUS-Authentication) - -## 4.2 Authorization Implementation - - Pam_tacplus will provide Authorization for login (account management), please check [TACACS+ Authentication](#TACPLUS-Authentication) +## 4.1 Authorization Implementation - [Bash](#bash) will be patched to support plugin when user execute disk command. - A bash plugin to support TACACS+ authorization. - Use TACACS+ setting from TACACS+ authentication. @@ -246,7 +239,7 @@ The following figure show how Bash config and TACACS+ config update by ConfigDB. - Using symbol link for command authorization, need create new symbol link in local and update remote server to support new command. - Using rbash to restrict user can only access symbol linked commands, which also disable some useful bash feature. -## 4.3 Accounting Implementation +## 4.2 Accounting Implementation - [Auditd](#auditd) will enable on SONiC to provide syscall event for accounting. - [audisp-tacplus](#audisp-tacplus) is a Auditd plugin that support TACACS+ Accounting (user command). - Pam_tacplus will provide session accounting, please check [TACACS+ Authentication](#TACPLUS-Authentication) @@ -278,7 +271,7 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB +--------------------------------+ +---------------------+ | Auditd | | | | +-------------------------+ | | +--------------+ | -| | Auditd config file <-------------+ Accounting | +| | Auditd config file <-------------+ Accounting | | | | | | | | Config | | | +-------------------------+ | | +--------------+ | | | | | @@ -297,17 +290,38 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB ``` -## 4.4 ConfigDB Schema - - TACACS+ Authorization and Accounting will use existing tables +## 4.3 ConfigDB Schema + - Existing tables, for more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) - AAA Table. - TACPLUS Table - TACPLUS_SERVER Table. - - For more detail of existing tables, please check [TACACS+ Authentication](#TACPLUS-Authentication) + - New Tables + - Bash_Plugin Table schema +``` +; Key +plugin_key = 1*256VCHAR ; Plugin name. +; Attributes +type = 1*32VCHAR ; Bash plugin type, currently only support 'execve' plugin. +path = 1*4096VCHAR ; Bash plugin path. +``` -## 4.5 CLI + - Auditd_Syscall_Config Table schema +``` +; Key +audit_key = 1*32VCHAR ; Audit rule name +; Attributes +action = "always" / "never" ; Action type, for more detail, please check [Auditd](#auditd). +list = LIST(1*32VCHAR) ; List type, for more detail, please check [Auditd](#auditd). +syscall = LIST(1*32VCHAR) ; Syscall list, for more detail, please check [Auditd](#auditd). +filter = LIST(1*32VCHAR) ; Filter list, for more detail, please check [Auditd](#auditd). +keyname = 1*32VCHAR ; key name, for more detail, please check [Auditd](#auditd). +``` + + +## 4.4 CLI - The existing TACACS+ server config command will not change. - - Add following command to enable/disable TACACS+ authorization. + - Add following command to enable/disable authorization. ``` // authorization with TACACS+ server and local config aaa authorization tacacs local @@ -319,7 +333,7 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB config aaa authorization local ``` - - Add following command to enable/disable TACACS+ accounting. + - Add following command to enable/disable accounting. ``` // accounting with TACACS+ server and local syslog config aaa accounting tacacs local @@ -331,14 +345,9 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB config aaa accounting local ``` - - Following command will disable authorization. -``` - config aaa authorization local -``` - - Following command will disable accounting ``` - config aaa authorization disable + config aaa accounting disable ``` # 5 Error handling - Bash plugin for authorization will return error code [Bash](#bash). and patched Bash will: From e06e901dc4e67456073a6b6942f7cb918ba12838 Mon Sep 17 00:00:00 2001 From: liuh Date: Wed, 18 Aug 2021 10:55:26 +0800 Subject: [PATCH 13/19] Fix typo --- doc/aaa/TACACS+ Design.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index 6bf4cb0ce6..aebe7940cc 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -40,7 +40,7 @@ * [tacplus-auth](#tacplus-auth) # About this Manual -This document is beased on [TACACS+ Authentication](#TACPLUS-Authentication), and provides a detailed description on the new features for improve TACACS+ support. +This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and provides a detailed description on the new features for improve TACACS+ support. - SONiC currently supported TACACS+ features: - Authentication. From e8da9bc26d29312ecf395aef1ec5842656871da7 Mon Sep 17 00:00:00 2001 From: liuh Date: Thu, 19 Aug 2021 14:40:48 +0800 Subject: [PATCH 14/19] Improve document according to review feedback. --- doc/aaa/TACACS+ Design.md | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index aebe7940cc..bf944fa9a6 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -121,7 +121,7 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and - TACACS AAA are fully configurable by config DB. ## 2.3 Counter - - Support AAA counter: + - Support AAA counter, this will be low priority: ``` show tacacs counter @@ -159,7 +159,6 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and - A bash plugin to support TACACS+ authorization. - Use TACACS+ setting from TACACS+ authentication. - Use libtac library from [pam_tacplus](#pam_tacplus) for TACACS+ protocol. - - Bash configuration file for root user not enable this plugin, root user only use local Authorization. The following figure show how Bash plugin work with TACACS+ server. ``` @@ -209,7 +208,7 @@ SSH/Console SONiC Device TACACS+ Server ``` - The hostcfg enforcer reads data from configDB to configure host environment. - - The AAA config module in hostcfg enforcer is responsible for modifying Bash configuration files in host. + - The AAA config module in hostcfg enforcer is responsible for modifying Bash configuration files in host. this will be low priority. - For how TACACS+ config file update, please check [TACACS+ Authentication](#TACPLUS-Authentication) The following figure show how Bash config and TACACS+ config update by ConfigDB. @@ -263,7 +262,7 @@ The following figure show how audisp-tacplus work with TACACS+ server. - The hostcfg enforcer reads data from configDB to configure host environment. - - The AAA config module in hostcfg enforcer is responsible for modifying Auditd configuration files in host. + - The AAA config module in hostcfg enforcer is responsible for modifying Auditd configuration files in host. this will be low priority. - For how TACACS+ config file update, please check [TACACS+ Authentication](#TACPLUS-Authentication) The following figure show how Auditd config an TACACS+ config update by ConfigDB. @@ -292,11 +291,19 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB ## 4.3 ConfigDB Schema - Existing tables, for more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) - - AAA Table. - TACPLUS Table - TACPLUS_SERVER Table. + - AAA Table (updated). +``` +; Key +aaa_key = 1*32VCHAR ; AAA type "authentication"/"authorization"/"accounting" +; Attributes +protocol = LIST(1*32VCHAR) ; AAA protocol, now only support (local, tacacs+) +fallback = "True" / "False" ; fallback mechanism for pam modules +failthrough = "True" / "False" ; failthrough mechanism for pam modules +``` - - New Tables + - New Tables (low priority) - Bash_Plugin Table schema ``` ; Key @@ -329,7 +336,7 @@ keyname = 1*32VCHAR ; key name, for more detail, please check // authorization with TACACS+ server config aaa authorization tacacs - // authorization with TACACS+ local + // authorization with local, disable tacacs authorization config aaa authorization local ``` @@ -454,12 +461,14 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). ``` Verify TACACS+ user can run command not in server side whitelist but have permission in local. Verify TACACS+ user can't run command in server side whitelist but not have permission in local. + Verify Local user can login, and run command with local permission. ``` - config AAA authorization with local: ``` Verify TACACS+ user can run command if have permission in local. Verify TACACS+ user can't run command if not have permission in local. + Verify Local user can login, and run command with local permission. ``` - config AAA accounting with TACACS+ only: From 4cf058112038f4a77488249f9ac5ebe08ada413c Mon Sep 17 00:00:00 2001 From: liuh Date: Wed, 22 Sep 2021 08:54:54 +0800 Subject: [PATCH 15/19] Improve document according to community review. --- doc/aaa/TACACS+ Design.md | 44 ++++++++++++--------------------------- 1 file changed, 13 insertions(+), 31 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index bf944fa9a6..e917090042 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -70,7 +70,9 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and - Disable local authorization as failover, then user can't run any command. - Enable local authorization as failover, then user can run command with local authorization. - For local authorization, please check [TACACS+ Authentication](#TACPLUS-Authentication). - + - When user login with local account, TACACS+ authentication and authorization will disabled for current user. + - After login, user can run command with local authorization. + - When all TACACS+ server not accessible, user can login with this method. ## 1.2 User command accounting - Accounting is the action of recording what a user is doing, and/or has done. @@ -92,7 +94,10 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and ## 1.3 User script - User can create and run their own script. - - If user create a script but TACACS+ service side not have configuration to allow user run this script, user script will be blocked by authorization. + - User may run script with interpreter commands: + - python ./userscript.txt + - sh ./usershellscript.txt + - Allow user create and run script may cause potensial security issue, so TACACS+ server side should setup rules correctly, for example, block RO user run any user script. ## 1.4 Docker support - Docker exec command will be covered by Authorization and Accounting. @@ -303,29 +308,6 @@ fallback = "True" / "False" ; fallback mechanism for pam modules failthrough = "True" / "False" ; failthrough mechanism for pam modules ``` - - New Tables (low priority) - - Bash_Plugin Table schema -``` -; Key -plugin_key = 1*256VCHAR ; Plugin name. -; Attributes -type = 1*32VCHAR ; Bash plugin type, currently only support 'execve' plugin. -path = 1*4096VCHAR ; Bash plugin path. -``` - - - Auditd_Syscall_Config Table schema -``` -; Key -audit_key = 1*32VCHAR ; Audit rule name -; Attributes -action = "always" / "never" ; Action type, for more detail, please check [Auditd](#auditd). -list = LIST(1*32VCHAR) ; List type, for more detail, please check [Auditd](#auditd). -syscall = LIST(1*32VCHAR) ; Syscall list, for more detail, please check [Auditd](#auditd). -filter = LIST(1*32VCHAR) ; Filter list, for more detail, please check [Auditd](#auditd). -keyname = 1*32VCHAR ; key name, for more detail, please check [Auditd](#auditd). -``` - - ## 4.4 CLI - The existing TACACS+ server config command will not change. - Add following command to enable/disable authorization. @@ -514,12 +496,12 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). - config disable AAA authorization and accounting: ``` - Verify GME user can login to device successfully. - Verify GME user can run command if have permission in local. - Verify GME user can login to device successfully. - Verify admin user can login to device successfully. - Verify admin user can run command if have permission in local. - Verify admin user can't run command if not have permission in local. + Verify domain account can login to device successfully. + Verify domain account can run command if have permission in local. + Verify domain account can login to device successfully. + Verify local admin account can login to device successfully. + Verify local admin account can run command if have permission in local. + Verify local admin account can't run command if not have permission in local. ``` - config enable AAA authorization and accounting, and run all existing AAA authentication test case: From 1bec8fc2de049ef319bbea4a5ef6e80d26105e85 Mon Sep 17 00:00:00 2001 From: liuh Date: Wed, 22 Sep 2021 10:18:30 +0800 Subject: [PATCH 16/19] Improve document according review comments. --- doc/aaa/TACACS+ Design.md | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index e917090042..ea78b98c54 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -7,8 +7,7 @@ * [1.1 User command authorization](#11-user-command-authorization) * [1.2 User command accounting](#12-user-command-accounting) * [1.3 User script](#13-user-script) - * [1.4 Docker support](#14-docker-support) - * [1.5 Multiple TACACS server](#15-multiple-tacas-server) + * [1.4 Multiple TACACS server](#14-multiple-tacas-server) - [2 Configuration and Management Requirements](#2-configuration-and-management-requirements) * [2.1 SONiC CLI](#21-sonic-cli) * [2.2 Config DB](#22-config-db) @@ -18,6 +17,8 @@ * [3.1 Command size](#31-command-size) * [3.2 Server count](#32-server-count) * [3.3 Local authorization](#32-local-authorization) + * [3.4 Docker support](#34-docker-support) + * [3.5 Recursive commands](#35-recursive-commands) - [4 Design](#design) * [4.1 Authentication](#41-authentication) * [4.2 Authorization Implementation](#42-authorization-implementation) @@ -97,14 +98,11 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and - User may run script with interpreter commands: - python ./userscript.txt - sh ./usershellscript.txt - - Allow user create and run script may cause potensial security issue, so TACACS+ server side should setup rules correctly, for example, block RO user run any user script. + - Allow user create and run script may cause potensial security issue, so suggest administrator setup rules from TACACS+ server side to block RO user create and run script. -## 1.4 Docker support - - Docker exec command will be covered by Authorization and Accounting. - - Any command run inside docker container will not covered by Authorization and Accounting. - -## 1.5 Multiple TACACS server +## 1.4 Multiple TACACS server - Support config multiple TACACS server. + - First server in the list will be primary server. - When a server not accessible, will try next server as backup. - When all server not accessible from SONiC, use native failover solution. @@ -158,6 +156,19 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and ## 3.3 Local authorization - Operation system limitation: SONiC based on Linux system, so permission to execute local command are managed by Linux file permission control. This means when enable both TACACS+ authorization and local authorization, local authorization will always happen after TACACS+ authorization. +## 3.4 Docker support + - Any command run inside docker container will not covered by Authorization and Accounting. + - Docker exec command will be covered by Authorization and Accounting. + - Administrator may setup TACACS+ rules to block docker exec command for RO user: + - user can start a interactive shell on the docker container, then run command inside container to evade TACACS+ authorization and accounting. + +## 3.5 Recursive commands + - Many linux command allow user start a harmless process and run another command from it, administrator may setup TACACS+ rules from server side to block user from: + - Run another shell. + - Run interpreter, for example python. + - Run loader, for example /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 + - Run find/VI command which can run other commands inside it. + # 4 Design ## 4.1 Authorization Implementation - [Bash](#bash) will be patched to support plugin when user execute disk command. From 4d1660cc88002aff64e6228b63b5f2d6b59d6031 Mon Sep 17 00:00:00 2001 From: liuh Date: Wed, 22 Sep 2021 17:33:56 +0800 Subject: [PATCH 17/19] Fix PR comments. --- doc/aaa/TACACS+ Design.md | 56 ++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 19 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index ea78b98c54..bc1dcf1ff0 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -1,4 +1,4 @@ -# SONiC TACACS+ improve +# SONiC TACACS+ improvement # Table of Contents - [Table of Contents](#table-of-contents) @@ -56,9 +56,9 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and # 1 Functional Requirement ## 1.1 User command authorization - Authorization when user run any executable file or script on SONiC host. - - The full path and parameters will be send to TACACS+ server side for authorization. + - The full path and parameters will be sent to TACACS+ server side for authorization. - For recursive command/script, only the top level command have authorization. - - No authorization for bash built-in command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. + - No authorization for bash built-in command and bash function, but if a bash function call any executable file or script, those executable file or script will have authorization. - TACACS+ authorization is configurable: - TACACS+ authorization can be enable/disable. @@ -81,8 +81,9 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and - Command start event. - Command finish event. - - User command in Docker will not be accounted. - - User command in docker actually run by docker service, so we can't identify if command are run by user or system service. + - User command inside docker container will not be accounted. + - User command inside docker container actually run by docker service, so we can't identify if command are run by user or system service. + - The 'docker exec ' command will be accounted because it's not run inside docker container. - Support TACACS+ accounting and local accounting: - TACACS+ will send event to TACACS+ server, and communication will be encrypted, for more detail please check [RFC8907](#rfc8907). @@ -110,13 +111,13 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and ## 2.1 SONiC CLI - Enable/Disable TACACS Authorization/Accounting command ``` - config aaa authorization {local | tacacs+} + config aaa authorization {local | tacacs+} config aaa accounting {local | tacacs+ | disable} ``` - Counter command ``` - show tacacs counter + show tacacs+ counter sonic-clear tacacscounters ``` @@ -124,9 +125,9 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and - TACACS AAA are fully configurable by config DB. ## 2.3 Counter - - Support AAA counter, this will be low priority: + - Support AAA counter, this will be low priority: ``` - show tacacs counter + show tacacs+ counter server1: 10.1.1.45 Messages sent: 24 @@ -151,19 +152,19 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and - When user user a command longer than 240 bytes, only commands within 240 bytes will send to TACACS server. which means Accounting may lost some user input. and Authorization check can only partly check user input. ## 3.2 Server count - - Max TACACS server count was hardcoded, default count is 8. + - Max TACACS server count was hardcoded, default count is 8. ## 3.3 Local authorization - Operation system limitation: SONiC based on Linux system, so permission to execute local command are managed by Linux file permission control. This means when enable both TACACS+ authorization and local authorization, local authorization will always happen after TACACS+ authorization. ## 3.4 Docker support - - Any command run inside docker container will not covered by Authorization and Accounting. + - Any command run inside a shell in a docker container will not covered by Authorization and Accounting. - Docker exec command will be covered by Authorization and Accounting. - Administrator may setup TACACS+ rules to block docker exec command for RO user: - - user can start a interactive shell on the docker container, then run command inside container to evade TACACS+ authorization and accounting. + - user can start an interactive shell on the docker container, then run command inside container to evade TACACS+ authorization and accounting. ## 3.5 Recursive commands - - Many linux command allow user start a harmless process and run another command from it, administrator may setup TACACS+ rules from server side to block user from: + - Many linux command allow user start a harmless process and run another command from it, administrator may setup TACACS+ rules from server side to block user from: - Run another shell. - Run interpreter, for example python. - Run loader, for example /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 @@ -306,7 +307,7 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB ## 4.3 ConfigDB Schema - - Existing tables, for more detail please check [TACACS+ Authentication](#TACPLUS-Authentication) + - Existing tables, for more detail please check [TACACS+ Authentication](https://github.com/Azure/SONiC/blob/master/doc/aaa/TACACS%2B%20Authentication.md#aaa-table-schema) - TACPLUS Table - TACPLUS_SERVER Table. - AAA Table (updated). @@ -324,10 +325,10 @@ failthrough = "True" / "False" ; failthrough mechanism for pam modules - Add following command to enable/disable authorization. ``` // authorization with TACACS+ server and local - config aaa authorization tacacs local + config aaa authorization tacacs+ local // authorization with TACACS+ server - config aaa authorization tacacs + config aaa authorization tacacs+ // authorization with local, disable tacacs authorization config aaa authorization local @@ -336,10 +337,10 @@ failthrough = "True" / "False" ; failthrough mechanism for pam modules - Add following command to enable/disable accounting. ``` // accounting with TACACS+ server and local syslog - config aaa accounting tacacs local + config aaa accounting tacacs+ local // accounting with TACACS+ server - config aaa accounting tacacs + config aaa accounting tacacs+ // accounting with local syslog config aaa accounting local @@ -428,7 +429,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). - config AAA authorization with TACACS+ only: - when user login server are accessible. - user run some command in whitelist and server are accessible. - - then all server not accessible, and run some command + - then all server not accessible, and run some command ``` Verify when server are accessible, TACACS+ user can run command in server side whitelist. Verify when server are not accessible, TACACS+ user can't run any command. @@ -502,6 +503,23 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify syslog not have any command record which not run by user. ``` +- prevent user bypass TACACS+ authorization test: + - Setup TACACS+ server side rules: + - Disable user run python, sh command. + - Disable user run find with '-exec' + - Disable user run /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 +``` + Verify user can't run script with sh/python with following command. + python ./testscript.py + Verify user can't run 'find' command with '-exec' parameter. + Verify user can run 'find' command without '-exec' parameter. + Verify user can't run command with loader: + /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 sh + Verify user can't run command with prefix/quoting: + \sh + "sh" + echo $(sh -c ls) +``` ## 7.3 Backward compatibility test From 15bd52c462fa2416d8b32c4e184b72527e07d948 Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Tue, 12 Oct 2021 13:26:08 +0800 Subject: [PATCH 18/19] Update design document. --- doc/aaa/TACACS+ Design.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index bc1dcf1ff0..eccec4be23 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -111,7 +111,7 @@ This document is based on [TACACS+ Authentication](#TACPLUS-Authentication), and ## 2.1 SONiC CLI - Enable/Disable TACACS Authorization/Accounting command ``` - config aaa authorization {local | tacacs+} + config aaa authorization {local | tacacs+ | local tacacs+} config aaa accounting {local | tacacs+ | disable} ``` @@ -424,6 +424,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). If command have local permission, user can run command. If command not have local permission, user can't run command. Verify TACACS+ user can't run command not in server side whitelist. + Verify Local user can't login. ``` - config AAA authorization with TACACS+ only: @@ -441,6 +442,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). If command have local permission, user can run command. If command not have local permission, user can't run command. Verify TACACS+ user can't run command not in server side whitelist. + Verify Local user can't login. ``` - config AAA authorization with TACACS+ and local: @@ -449,6 +451,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). If command have local permission, user can run command. If command not have local permission, user can't run command. Verify TACACS+ user can't run command not in server side whitelist. + Verify Local user can't login. ``` - config AAA authorization with TACACS+ and local, but server not accessible: @@ -456,6 +459,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ user can run command not in server side whitelist but have permission in local. Verify TACACS+ user can't run command in server side whitelist but not have permission in local. Verify Local user can login, and run command with local permission. + Verify after Local user login, then server accessible, Local user still can run command with local permission. ``` - config AAA authorization with local: From 92ea017a0cffb8fbf91081c8ec16c8712a21e9a0 Mon Sep 17 00:00:00 2001 From: liuh-80 <58683130+liuh-80@users.noreply.github.com> Date: Tue, 19 Oct 2021 17:32:53 +0800 Subject: [PATCH 19/19] Add comments for AAA table 'login' attribute name issue. --- doc/aaa/TACACS+ Design.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/aaa/TACACS+ Design.md b/doc/aaa/TACACS+ Design.md index eccec4be23..6d4cbabf52 100644 --- a/doc/aaa/TACACS+ Design.md +++ b/doc/aaa/TACACS+ Design.md @@ -315,10 +315,11 @@ The following figure show how Auditd config an TACACS+ config update by ConfigDB ; Key aaa_key = 1*32VCHAR ; AAA type "authentication"/"authorization"/"accounting" ; Attributes -protocol = LIST(1*32VCHAR) ; AAA protocol, now only support (local, tacacs+) +login = LIST(1*32VCHAR) ; AAA protocol, now only support (local, tacacs+) fallback = "True" / "False" ; fallback mechanism for pam modules failthrough = "True" / "False" ; failthrough mechanism for pam modules ``` +* According to [TACACS+ Authentication](https://github.com/Azure/SONiC/blob/master/doc/aaa/TACACS%2B%20Authentication.md#aaa-table-schema), the 'login' attribute should be 'protocol' attribute , But in current SONiC [yang model](https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/yang-models/sonic-system-aaa.yang), this attribute name is 'login'. Because change the attribute name may break backward compatibility, so keep will use 'login' as attribute name. ## 4.4 CLI - The existing TACACS+ server config command will not change. @@ -459,7 +460,7 @@ Schema in [TACACS+ Authentication](#TACPLUS-Authentication)). Verify TACACS+ user can run command not in server side whitelist but have permission in local. Verify TACACS+ user can't run command in server side whitelist but not have permission in local. Verify Local user can login, and run command with local permission. - Verify after Local user login, then server accessible, Local user still can run command with local permission. + Verify after Local user login, then server becomes accessible, Local user still can run command with local permission. ``` - config AAA authorization with local: