<div dir="ltr">I just figured out what you're seeing.<div><br></div><div><div>lab1-c2#en</div><div>lab1-c2#somepassword</div><div>Translating "somepassword"</div><div><br></div><div>% Bad IP address or host name</div><div>Translating "somepassword"</div><div>% Unknown command or computer name, or unable to find computer address</div><div>lab1-c2#</div></div><div><br></div><div><br></div><div>Produces this:</div><div><br></div><div><div>Apr 14 16:42:42<span class="" style="white-space:pre"> </span>10.244.165.35<span class="" style="white-space:pre"> </span>jfraizer<span class="" style="white-space:pre"> </span>tty1<span class="" style="white-space:pre"> </span>192.168.56.1<span class="" style="white-space:pre"> </span>start<span class="" style="white-space:pre"> </span>task_id=5<span class="" style="white-space:pre"> </span>timezone=UTC<span class="" style="white-space:pre"> </span>service=shell</div></div><div><div>Apr 14 16:42:44<span class="" style="white-space:pre"> </span>10.244.165.35<span class="" style="white-space:pre"> </span>jfraizer<span class="" style="white-space:pre"> </span>tty1<span class="" style="white-space:pre"> </span>192.168.56.1<span class="" style="white-space:pre"> </span>stop<span class="" style="white-space:pre"> </span>task_id=5<span class="" style="white-space:pre"> </span>timezone=UTC<span class="" style="white-space:pre"> </span>service=shell<span class="" style="white-space:pre"> </span>priv-lvl=0<span class="" style="white-space:pre"> </span>cmd=enable <cr></div></div><div><div>Apr 14 16:42:47<span class="" style="white-space:pre"> </span>10.244.165.35<span class="" style="white-space:pre"> </span>jfraizer<span class="" style="white-space:pre"> </span>tty1<span class="" style="white-space:pre"> </span>192.168.56.1<span class="" style="white-space:pre"> </span>stop<span class="" style="white-space:pre"> </span>task_id=6<span class="" style="white-space:pre"> </span>timezone=UTC<span class="" style="white-space:pre"> </span>service=shell<span class="" style="white-space:pre"> </span>priv-lvl=1<span class="" style="white-space:pre"> </span>cmd=connect somepassword <cr></div></div><div><br></div><div><br></div><div>Here is the situation: I've got my tac_plus (plus do_auth) configured to give priv-lvl=15 on login. So, me typing enable is NOT necessary for me to get into enable mode. I'm ALREADY there. When I do so, it just drops me back to a prompt (NOT a password prompt). When the next thing I send is "somepassword", the Cisco translates this to "connect somepassword".</div><div><br></div><div>I would venture to guess that you're giving priv-lvl=15 on login and that you've got users who don't realize they're already enabled or that you've got some script running that is hard coded to blindly send commands vs. examining its current prompt to determine its priv-lvl.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>--</div>John Fraizer<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">http://www.linkedin.com/in/johnfraizer/</a></div><div><br><div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12px;line-height:12px;background-color:rgb(244,244,244)"><br></span></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Apr 14, 2015 at 9:41 AM, John Fraizer <span dir="ltr"><<a href="mailto:john@op-sec.us" target="_blank">john@op-sec.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Provide the entire accounting record rather than a description of it and we'll be able to help you more. But, that is not what tac_plus would show when a user goes into enable.<div><br></div><div>This is what it shows from an Arista:</div><div><br></div><div><div>Apr 14 16:33:36<span style="white-space:pre-wrap"> </span>10.244.165.35<span style="white-space:pre-wrap"> </span>jfraizer<span style="white-space:pre-wrap"> </span>ssh<span style="white-space:pre-wrap"> </span>192.168.56.1<span style="white-space:pre-wrap"> </span>stop<span style="white-space:pre-wrap"> </span>task_id=21<span style="white-space:pre-wrap"> </span>service=shell<span style="white-space:pre-wrap"> </span>priv-lvl=1<span style="white-space:pre-wrap"> </span>start_time=1429029214<span style="white-space:pre-wrap"> </span>timezone=UTC<span style="white-space:pre-wrap"> </span>cmd=enable <cr></div></div><div><br></div><div>And here is what it shows from a Cisco CSR1000v:</div><div><br></div><div><div>Apr 14 16:34:43<span style="white-space:pre-wrap"> </span>10.244.165.36<span style="white-space:pre-wrap"> </span>jfraizer<span style="white-space:pre-wrap"> </span>tty1<span style="white-space:pre-wrap"> </span>192.168.56.1<span style="white-space:pre-wrap"> </span>stop<span style="white-space:pre-wrap"> </span>task_id=3<span style="white-space:pre-wrap"> </span>timezone=UTC<span style="white-space:pre-wrap"> </span>service=shell<span style="white-space:pre-wrap"> </span>priv-lvl=1<span style="white-space:pre-wrap"> </span>cmd=enable <cr></div></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr"><div>--</div>John Fraizer<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">http://www.linkedin.com/in/johnfraizer/</a></div><div><br><div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12px;line-height:12px;background-color:rgb(244,244,244)"><br></span></div></div></div></div></div><div><div class="h5">
<br><div class="gmail_quote">On Tue, Apr 14, 2015 at 9:28 AM, Munroe Sollog <span dir="ltr"><<a href="mailto:mus3@lehigh.edu" target="_blank">mus3@lehigh.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
I'm using tac_plus as an audit history for all users, and I'm noticing that the accounting log is<br>
logging:<br>
<br>
cmd=connect <enable password> <cr><br>
<br>
I believe it is whenever someone types in 'enable' <cr> '<enable password>'<br>
<br>
Does this make sense, and if so any advice on how to get tac_plus to not save the password in the<br>
audit log?<br>
<br>
for reference:<br>
$ tac_plus -v<br>
tac_plus version F4.0.4.27a<br>
ACLS<br>
FIONBIO<br>
LIBWRAP<br>
LINUX<br>
LITTLE_ENDIAN<br>
LOG_DAEMON<br>
PAM<br>
NO_PWAGE<br>
REAPCHILD<br>
RETSIGTYPE RETSIGTYPE<br>
SHADOW_PASSWORDS<br>
SIGTSTP<br>
SIGTTIN<br>
SIGTTOU<br>
SO_REUSEADDR<br>
STRERROR<br>
TAC_PLUS_PORT<br>
UENABLE<br>
__STDC__<br>
<br>
<br>
<br>
Thanks.<br>
<br>
- --<br>
Munroe Sollog<br>
LTS - Network Analyst<br>
x85002<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.12 (GNU/Linux)<br>
<br>
iQEcBAEBAgAGBQJVLUA5AAoJEPbbZiWCKDVCIcsH/0MMz1sYAQFY4FXMzLUrKa0E<br>
IYJxEuM7QWkQ6wIfFhdf51xOBuepKytGK3JlWuGZaZMdENgEZj/bD4BNxS+4ukAj<br>
fR8xuQSy6AooQLYgdcfJYd/g7udhVmrhBhCDCGQz3HCHKfJyp2V4XmCZPfMVy7EA<br>
7NMhfbPto7nPEkVtDqrjBShgXohrf0OtMXMbdWxljJ+W7P/+nEc4+vfRz/CSpd1a<br>
PnHlwYLRaBIo921xB7I3SiPJqUPhI8i8s52HuzcmJacfT5TypQ9pY08X712QUztJ<br>
zpsFsX2xS3tyWingWKhrqWMtuFpFIWwTeQ7mIOqqd5NTHDhL3DupC1jBOWp2vfA=<br>
=FXGG<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>