Example of a rule set to create a security group
Consider a vRouter where a superuser creates a new group called security. The superuser associates a rule set with the new group so that only members of this group can modify the ACM and login information. Additionally, a member called secadmin, who is part of the administrator group, is allowed to be a part of this new group.
To create the new group and to associate the rule set, perform the following steps in configuration mode.
Step | Command |
---|---|
Create a group called security. Members of the group are allowed to adjust the security policy and system logins. |
|
Promote a member called secadmin from the administrator group to the security group. |
|
Allow the members of the security group access to all the possible vRouter operations. |
|
Prohibit changes to /system/acm and /system/login unless the changes are made by a member of the group called security. |
|
# show system acm
acm {
enable
operational-ruleset {
rule 9977 {
action allow
command /show/tech-support/save
group vyattaop
}
rule 9978 {
action deny
command "/show/tech-support/save/*"
group vyattaop
}
rule 9979 {
action allow
command /show/tech-support/save-uncompressed
group vyattaop
}
rule 9980 {
action deny
command "/show/tech-support/save-uncompressed/*"
group vyattaop
}
rule 9981 {
action allow
command /show/tech-support/brief/save
group vyattaop
}
rule 9982 {
action deny
command "/show/tech-support/brief/save/*"
group vyattaop
}
rule 9983 {
action allow
command /show/tech-support/brief/save-uncompressed
group vyattaop
}
rule 9984 {
action deny
command "/show/tech-support/brief/save-uncompressed/*"
group vyattaop
}
rule 9985 {
action allow
command /show/tech-support/brief/
group vyattaop
}
rule 9986 {
action deny
command /show/tech-support/brief
group vyattaop
}
rule 9987 {
action deny
command /show/tech-support
group vyattaop
}
rule 9988 {
action deny
command /show/configuration
group vyattaop
}
rule 9989 {
action allow
command "/clear/*"
group vyattaop
}
rule 9990 {
action allow
command "/show/*"
group vyattaop
}
rule 9991 {
action allow
command "/monitor/*"
group vyattaop
}
rule 9992 {
action allow
command "/ping/*"
group vyattaop
}
rule 9993 {
action allow
command "/reset/*"
group vyattaop
}
rule 9994 {
action allow
command "/release/*"
group vyattaop
}
rule 9995 {
action allow
command "/renew/*"
group vyattaop
}
rule 9996 {
action allow
command "/telnet/*"
group vyattaop
}
rule 9997 {
action allow
command "/traceroute/*"
group vyattaop
}
rule 9998 {
action allow
command "/update/*"
group vyattaop
}
rule 9999 {
action deny
command "*"
group vyattaop
}
}
ruleset {
rule 1 {
action allow
group security
operation "*"
path "*"
}
rule 9991 {
group vyattacfg
operation delete
path /system/acm
}
rule 9992 {
group vyattacfg
operation create
path /system/acm
}
rule 9993 {
group vyattacfg
operation update
path /system/acm
}
rule 9994 {
group vyattacfg
operation update
path /system/login
}
rule 9995 {
group vyattacfg
operation delete
path /system/login
}
rule 9996 {
group vyattacfg
operation create
path /system/login
}
rule 9999 {
action allow
group vyattacfg
operation "*"
path "*"
}
}
}