new GAIA admin user can’t execute native commands

clishFound out that a new GAIA admin user in adminRole cannot execute external SPLAT commands in expert OR GAIA mode (cpstat, fwstat, tcpdump).

Pingtool saved my bacon.

http://pingtool.org/adding-new-admin-user-to-checkpoint-gaia-with-expert-permissions/

Make sure you ‘save config’

NOTE: you can add mutiple users with the duplicate UID 0 and it works.

So thats how you can create a raw admin mirror account.

If you need to create a read-only GAIA admin account that has SOME limited admin access this is the secret sauce to add to the above admin ( with UID 0 and GUID 0):

GAIA:

        1. show rba role adminRole
          Copy and past to notepad
        2. Isolate the GAIA commands from the ‘ext’ commands. You can also use ‘show extended commands’. Make sure you only have about 7 commands on each line (GAIA has limits on line length)arp,backup,clock-date,cluster_ha,command…….ext commandsext_cphastop,ext_cpinfo,ext_cplic,ext_cpshared_ver……
        3. Hard Part: Look at the commands and commands and filter out those that you don’t want people to access: expert, cpconfig, expert-password, config_system,cpstop/start
        4. create a new readonly feature set and new role for the GAIA specific commands
          add rba role minirole domain-type System readonly-features domain arp,backup,clock-date,cluster_ha,command
          add rba role minirole domain-type System readonly-features high-avail-group,host
          add rba role minirole domain-type System readonly-features host-access,hostname,hw-monitor,interface,interface-group,iphelper,ipv6-state,license
        5. add to new role with a readwrite feature set for the ext commands (do NOT give them expert or show expert password). Also make sure not to make your lines too long or you will get an error:
          add rba role minirole domain-type System readwrite-features ext_cphaprob,ext_cphastart
          add rba role minirole domain-type System readwrite-features  ext_cphastop,ext_cpinfo,ext_cplic,ext_cpshared_ver,ext_cpstart,ext_cpstat,ext_cpstop,ext_diag
        6. Create your own commands from Unix
          add command tcpdump path /usr/sbin/tcpdump description “network sniff”
          add command ls path /bin/ls  description “list  directory”
          add command pwd path  /bin/pwd description “where am i”
          add command cat path  /bin/cat description “dump file ”
          add command more path /bin/more description “scroll file”
          add command find path /usr/bin/find description “find file”
          save config
        7. log out
        8. log back in
        9. Add the new commands to the minirole (have to prefix the ‘ext’)
          add rba role minirole domain-type System readwrite-features  ext_tcpdump, ext_ls, ext_pwd, ext_cat
          add rba role minirole domain-type System readwrite-features  ext_more, ext_find
        10. VSX only
          add rba role adminRole virtual-system-access 0,1,2,3,4……
        11. Attach role to user
          add rba  user miniadmin role minirole
        12. Save config
        13. NOTE: add/delete new features will have immediate impact on logged in users. Except for external commands, they will only kick in when a user logs in.

After reading this you can ‘role’ your own admin!

PS: Note if you:

add rba role testrole domain-type System all-features

You CANNOT delete individual features. Weird. You have to delete the whole role. Only if you add individual features you can take out one at a time.

THanks again!

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: