clishFound out that a new GAIA admin user in adminRole cannot execute external SPLAT commands in expert OR GAIA mode (cpstat, fwstat, tcpdump).
Pingtool saved my bacon.
Adding new admin user to CheckPoint Gaia with expert permissions
Make sure you ‘save config’
NOTE: you can add mutiple users with the duplicate UID 0 and it works.
So thats how you can create a raw admin mirror account.
If you need to create a read-only GAIA admin account that has SOME limited admin access this is the secret sauce to add to the above admin ( with UID 0 and GUID 0):
GAIA:
- show rba role adminRole
Copy and past to notepad - Isolate the GAIA commands from the ‘ext’ commands. You can also use ‘show extended commands’. Make sure you only have about 7 commands on each line (GAIA has limits on line length)arp,backup,clock-date,cluster_ha,command…….ext commandsext_cphastop,ext_cpinfo,ext_cplic,ext_cpshared_ver……
- Hard Part: Look at the commands and commands and filter out those that you don’t want people to access: expert, cpconfig, expert-password, config_system,cpstop/start
- create a new readonly feature set and new role for the GAIA specific commands
add rba role minirole domain-type System readonly-features domain arp,backup,clock-date,cluster_ha,command
add rba role minirole domain-type System readonly-features high-avail-group,host
add rba role minirole domain-type System readonly-features host-access,hostname,hw-monitor,interface,interface-group,iphelper,ipv6-state,license - add to new role with a readwrite feature set for the ext commands (do NOT give them expert or show expert password). Also make sure not to make your lines too long or you will get an error:
add rba role minirole domain-type System readwrite-features ext_cphaprob,ext_cphastart
add rba role minirole domain-type System readwrite-features ext_cphastop,ext_cpinfo,ext_cplic,ext_cpshared_ver,ext_cpstart,ext_cpstat,ext_cpstop,ext_diag - Create your own commands from Unix
add command tcpdump path /usr/sbin/tcpdump description “network sniff”
add command ls path /bin/ls description “list directory”
add command pwd path /bin/pwd description “where am i”
add command cat path /bin/cat description “dump file ”
add command more path /bin/more description “scroll file”
add command find path /usr/bin/find description “find file”
save config - log out
- log back in
- Add the new commands to the minirole (have to prefix the ‘ext’)
add rba role minirole domain-type System readwrite-features ext_tcpdump, ext_ls, ext_pwd, ext_cat
add rba role minirole domain-type System readwrite-features ext_more, ext_find - VSX only
add rba role adminRole virtual-system-access 0,1,2,3,4……
- Attach role to user
add rba user miniadmin role minirole
- Save config
- NOTE: add/delete new features will have immediate impact on logged in users. Except for external commands, they will only kick in when a user logs in.
After reading this you can ‘role’ your own admin!
PS: Note if you:
add rba role testrole domain-type System all-features
You CANNOT delete individual features. Weird. You have to delete the whole role. Only if you add individual features you can take out one at a time.
THanks again!
dreez
DreezSecurityBlog 