Administrative Roles
Junos OS enables you to define a system user to act as a specific kind of administrator for the system. You can assign an administrative role to a user by configuring a login class to have the administrative role attributes. You can assign one of the role attributes such as audit-officer crypto-officer, security-officer, ids-officer to an administrative user.
How to Design Administrative Roles
A system user can be a member of a class that allows the user to act as a specific kind of administrator for the system. Requiring a specific role to view or modify an item restricts the extent of information a user can obtain from the system. It also limits how much of the system is open to modification or observation by a user. You (the system administrator) should use the following guidelines when you are designing administrative roles:
Do not allow any user to log in to the system as
root.Restrict each user to the smallest set of privileges needed to perform the user’s duties.
Do not allow any user to belong to a login class containing the
shellpermission flag. Theshellpermission flag allows users to run thestart shellcommand from the CLI.Allow users to have rollback permissions. Rollback permissions allow users to undo an action performed by an administrator but does not allow them to commit the changes.
You can assign an administrative role to a user by configuring a login class to have the privileges required for the role. You can configure each class to allow or deny access to configuration statements and commands by name. These restrictions override and take precedence over any permission flags also configured in the class. You can assign one of the following role attributes to an administrative user:
Crypto-administrator—Allows the user to configure and monitor cryptographic data.Security-administrator—Allows the user to configure and monitor security data.Audit-administrator—Allows the user to configure and monitor audit data.IDS-administrator—Allows the user to monitor and clear the intrusion detection service (IDS) security logs.
Each role can perform the following specific management functions:
Cryptographic Administrator
Configures the cryptographic self-test.
Modifies the cryptographic security data parameters.
Audit Administrator
Configures and deletes the audit review search-and-sort feature.
Searches and sorts audit records.
Configures search and sort parameters.
Manually deletes audit logs.
Security Administrator
Invokes, determines, and modifies the cryptographic self-test behavior.
Enables, disables, determines, and modifies the audit analysis and audit selection functions, and configures the device to automatically delete audit logs.
Enables or disables security alarms.
Specifies limits for quotas on Transport Layer connections.
Specifies the limits, network identifiers, and time periods for quotas on controlled connection-oriented resources.
Specifies the network addresses permitted to use Internet Control Message Protocol (ICMP) or Address Resolution Protocol (ARP).
Configures the time and date used in time stamps.
Queries, modifies, deletes, and creates the information flow or access control rules and attributes for the unauthenticated information flow security function policy (SFP), the authenticated information flow security function policy, the unauthenticated device services, and the discretionary access control policy.
Specifies initial values that override default values when object information is created under unauthenticated information flow SFP, the authenticated information flow SFP, the unauthenticated target of evaluation (TOE) services, and the discretionary access control policy.
Creates, deletes, or modifies the rules that control the address from which management sessions can be established.
Specifies and revokes security attributes associated with the users, subjects, and objects.
Specifies the percentage of audit storage capacity at which the device alerts administrators.
Handles authentication failures and modifies the number of failed authentication attempts through SSH or from the CLI that can occur before progressive throttling is enforced for further authentication attempts and before the connection is dropped.
Manages basic network configuration of the device.
IDS Administrator—Specifies IDS security alarms, intrusion alarms, audit selections, and audit data.
You must set the security-role attribute in the classes created for these administrative roles. This attribute restricts which users can show and clear the security logs, actions that cannot be performed through configuration alone.
For example, you must set the security-role attribute in the ids-admin class
created for the IDS administrator role if you want to restrict clearing and showing IDS
logs to the IDS administrator role. Likewise, you must set the security-role to one of
the other admin values to restrict that class from being able to clear and show non-IDS
logs only.
When a user deletes an existing configuration, the configuration statements under the hierarchy level of the deleted configuration (the child objects that the user does not have permission to modify) remain in the device.
Example: How to Configure Administrative Roles
This example shows how to configure individual administrative roles for a distinct, unique set of privileges apart from all other administrative roles.
Requirements
No action beyond device initialization is required before configuring this feature.
Overview
This example illustrates how to configure four admin user roles:
audit-officerof the classaudit-admincrypto-officerof the classcrypto-adminsecurity-officerof the classsecurity-adminids-officerof the classids-admin
When a security-admin class is configured, the privileges
for creating administrators are revoked from the user who created
the security-admin class. Creation of new users and logins
is at the discretion of the security-officer.
In this example, you create the four administrative user roles shown in the preceding list (audit
admin, crypto admin, security admin, and ids admin). For each role, you assign
relevant permission flags for the role. You then allow or deny access to
configuration statements and commands by name for each administrative role. These
specific restrictions take precedence over the permission flags configured in the
class. For example, only the crypto-admin can run the
request system set-encryption-key command, which requires
having the security permission flag to access it. Only the
security-admin can include the system
time-zone statement in the configuration, which requires having the
system-control permission flag.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them
into a text file, remove any line breaks, change any details necessary to
match your network configuration, copy and paste the commands into the CLI
at the [edit] hierarchy level, and then enter
commit in configuration mode.
set system login class audit-admin permissions security set system login class audit-admin permissions trace set system login class audit-admin permissions maintenance set system login class audit-admin allow-commands "^clear (log|security log)" set system login class audit-admin deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell"; set system login class audit-admin security-role audit-administrator set system login class crypto-admin permissions admin-control set system login class crypto-admin permissions configure set system login class crypto-admin permissions maintenance set system login class crypto-admin permissions security-control set system login class crypto-admin permissions system-control set system login class crypto-admin permissions trace set system login class crypto-admin allow-commands "^request system set-encryption-key" set system login class crypto-admin deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" set system login class crypto-admin allow-configuration-regexps ["security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"] set system login class crypto-admin security-role crypto-administrator set system login class security-admin permissions all set system login class security-admin deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell" set system login class security-admin deny-configuration-regexps ["security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key-generation"] set system login class security-admin security-role security-administrator set system login class ids-admin permissions configure set system login class ids-admin permissions security-control set system login class ids-admin permissions trace set system login class ids-admin permissions maintenance set system login class ids-admin allow-configuration-regexps ["security alarms potential-violation idp" "security log exclude .* event-id IDP_.*"] set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" set system login class ids-admin deny-configuration-regexps ["security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"] set system login class ids-admin security-role ids-admin set system login user audit-officer class audit-admin set system login user crypto-officer class crypto-admin set system login user security-officer class security-admin set system login user ids-officer class ids-admin set system login user audit-officer authentication plain-text-password set system login user crypto-officer authentication plain-text-password set system login user security-officer authentication plain-text-password set system login user ids-officer authentication plain-text-password
Step-by-Step Procedure
To configure administrative roles:
-
Create the
audit-adminlogin class.[edit] user@host# edit system login class audit-admin [edit system login class audit-admin] user@host# set permissions security user@host# set permissions trace user@host# set permissions maintenance
-
Configure the
audit-adminlogin class restrictions.[edit system login class audit-admin] user@host# set allow-commands "^clear (log|security log)" user@host# set deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" user@host# set security-role audit-administrator
-
Create the
crypto-adminlogin class.[edit] user@host# edit system login class crypto-admin [edit system login class crypto-admin] user@host# set permissions admin-control user@host# set permissions configure user@host# set permissions maintenance user@host# set permissions security-control user@host# set permissions system-control user@host# set permissions trace
-
Configure the
crypto-adminlogin class restrictions.[edit system login class crypto-admin] user@host# set allow-commands "^request system set-encryption-key" user@host# set deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell" user@host# set allow-configuration-regexps ["security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"] user@host# set security-role crypto-administrator
-
Create the
security-adminlogin class.[edit] user@host# edit system login class security-admin [edit system login class security-admin] user@host# set permissions all
-
Configure the
security-adminlogin class restrictions.[edit system login class security-admin] user@host# set deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell" user@host# set deny-configuration-regexps ["security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation"] user@host# set security-role security-administrator
-
Create the
ids-adminlogin class.[edit] user@host# edit system login class ids-admin [edit system login class ids-admin] user@host# set permissions configure user@host# set permissions maintenance user@host# set permissions security-control user@host# set permissions trace
-
Configure the
ids-adminlogin class restrictions.[edit system login class ids-admin] user@host# set allow-configuration-regexps ["security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" user@host# set deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell" user@host# set deny-configuration-regexps ["security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"] user@host# set security-role ids-administrator
-
Assign users to the roles.
[edit] user@host# edit system login [edit system login] user@host# set user audit-officer class audit-admin user@host# set user crypto-officer class crypto-admin user@host# set user security-officer class security-admin user@host# set user ids-officer class ids-admin
-
Configure passwords for the users.
[edit system login] user@host# set user audit-officer authentication plain-text-password user@host# set user crypto-officer authentication plain-text-password user@host# set user security-officer authentication plain-text-password user@host# set user ids-officer authentication plain-text-password
Results
In configuration mode, confirm your configuration by entering the show system command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
[edit]
user@host# show system
system {
login {
class audit-admin {
permissions [ maintenance security trace ];
allow-commands "^clear (log|security log)";
deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
security-role audit-administrator;
}
class crypto-admin {
permissions [ admin-control configure maintenance security-control system-control trace ];
allow-commands "^request (system set-encryption-key)";
deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell";
allow-configuration-regexps [ "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation" ];
security-role crypto-administrator;
}
class security-admin {
permissions [all];
deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell";
deny-configuration-regexps [ "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "security log exclude .* event-id IDP_.*" "system fips self-test after-key-generation" ];
security-role security-administrator;
}
class ids-admin {
permissions [ configure maintenance security-control trace ];
deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security alarms alarm-type
(authentication | cryptographic-self-test | decryption-failures | encryption-failures
| ike-phase1-failures | ike-phase2-failures|key-generation-self-test |
non-cryptographic-self-test |policy | replay-attacks) | ^file (copy|delete|rename)
|^request (security|system set-encryption-key) | ^rollback |
^set date | ^show security (dynamic-policies|match-policies|policies) |^start shell";
allow-configuration-regexps [ "security alarms potential-violation idp" "security log exclude .* event-id IDP_.*" ];
deny-configuration-regexps "security alarms potential-violation (authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
security-role ids-administrator;
}
user audit-officer {
class audit-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
user crypto-officer {
class crypto-admin;
authentication {
encrypted-password "$1$ABC123."; ## SECRET-DATA
}
}
user security-officer {
class security-admin;
authentication {
encrypted-password "$1$ABC123."; ##SECRET-DATA
}
}
user ids-officer {
class ids-admin;
authentication {
encrypted-password "$1$ABC123/"; ## SECRET-DATA
}
}
}
}
After you configure the device, enter commit in configuration mode.
Verification
Confirm that the configuration is working properly.
Verify the Login Permissions
Purpose
Verify the login permissions for the current user.
Action
In operational mode, enter the show cli authorization command to verify the
user's login permissions.
user@host> show cli authorization
Current user: 'example' class 'super-user'
Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
idp-profiler-operation-- Can Profiler data
pgcp-session-mirroring-- Can view pgcp session mirroring configuration
pgcp-session-mirroring-control-- Can modify pgcp session mirroring configura
tion
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
all-control -- Can modify any configuration
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: noneThis output summarizes the login permissions.
How to Configure a Local Administrator Account
Superuser privileges give a user permission to use any command on the router and are generally reserved for a select few users such as system administrators. You (the system administrator) need to protect the local administrator account with a password to prevent unauthorized users from gaining access to superuser commands. These superuser commands can be used to alter the system configuration. Users with RADIUS authentication should also configure a local password. If the RADIUS server does not respond, the login process reverts to local password authentication on the local administrator account.
The following example shows how to configure a password-protected local administration
account called admin with superuser privileges:
[edit]
system {
login {
user admin {
uid 1000;
class superuser;
authentication {
encrypted-password "<PASSWORD>"; ## SECRET-DATA
}
}
}
}