Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Example of a rule set to create a security group

Consider a vRouter where a superuser creates a new group called security. The superuser associates a rule set with the new group so that only members of this group can modify the ACM and login information. Additionally, a member called secadmin, who is part of the administrator group, is allowed to be a part of this new group.

To create the new group and to associate the rule set, perform the following steps in configuration mode.

Table 1. Example of a rule set to create a security group
Step Command
Create a group called security. Members of the group are allowed to adjust the security policy and system logins.

vyatta@vyatta# set system login group 'security'
Promote a member called secadmin from the administrator group to the security group.

vyatta@vyatta# set system login user secadmin authentication plaintext-password #<enter>; enter password
vyatta@vyatta# set system login user secadmin group 'security'
Allow the members of the security group access to all the possible vRouter operations.

vyatta@vyatta# set system acm ruleset rule 1 action 'allow'
vyatta@vyatta# set system acm ruleset rule 1 group 'security'
vyatta@vyatta# set system acm ruleset rule 1 operation '*'
vyatta@vyatta# set system acm ruleset rule 1 path '*'
Prohibit changes to /system/acm and /system/login unless the changes are made by a member of the group called security.

vyatta@vyatta# set system acm ruleset rule 9991 group 'vyattacfg'
vyatta@vyatta# set system acm ruleset rule 9991 operation 'delete'
vyatta@vyatta# set system acm ruleset rule 9991 path '/system/acm'

vyatta@vyatta# set system acm ruleset rule 9992 group 'vyattacfg'
vyatta@vyatta# set system acm ruleset rule 9992 operation 'create'
vyatta@vyatta# set system acm ruleset rule 9992 path '/system/acm'

vyatta@vyatta# set system acm ruleset rule 9993 group 'vyattacfg'
vyatta@vyatta# set system acm ruleset rule 9993 operation 'update'
vyatta@vyatta# set system acm ruleset rule 9993 path '/system/acm'

vyatta@vyatta# set system acm ruleset rule 9994 group 'vyattacfg'
vyatta@vyatta# set system acm ruleset rule 9994 operation 'update'
vyatta@vyatta# set system acm ruleset rule 9994 path '/system/login'

vyatta@vyatta# set system acm ruleset rule 9995 group 'vyattacfg'
vyatta@vyatta# set system acm ruleset rule 9995 operation 'delete'
vyatta@vyatta# set system acm ruleset rule 9995 path '/system/login'

vyatta@vyatta# set system acm ruleset rule 9996 group 'vyattacfg'
vyatta@vyatta# set system acm ruleset rule 9996 operation 'create'
vyatta@vyatta# set system acm ruleset rule 9996 path '/system/login'
The following rule set is displayed by entering the show acm command in operational mode after you perform the steps in the preceding section.
# show system acm
 acm {
     enable
     operational-ruleset {
         rule 9977 {
             action allow
             command /show/tech-support/save
             group vyattaop
         }
         rule 9978 {
             action deny
             command "/show/tech-support/save/*"
             group vyattaop
         }
         rule 9979 {
             action allow
             command /show/tech-support/save-uncompressed
             group vyattaop
         }
         rule 9980 {
             action deny
             command "/show/tech-support/save-uncompressed/*"
             group vyattaop
         }
         rule 9981 {
             action allow
             command /show/tech-support/brief/save
             group vyattaop
         }
         rule 9982 {
             action deny
             command "/show/tech-support/brief/save/*"
             group vyattaop
         }
         rule 9983 {
             action allow
             command /show/tech-support/brief/save-uncompressed
             group vyattaop
         }
         rule 9984 {
             action deny
             command "/show/tech-support/brief/save-uncompressed/*"
             group vyattaop
         }
         rule 9985 {
             action allow
             command /show/tech-support/brief/
             group vyattaop
         }
         rule 9986 {
             action deny
             command /show/tech-support/brief
             group vyattaop
         }
         rule 9987 {
             action deny
             command /show/tech-support
             group vyattaop
         }
         rule 9988 {
             action deny
             command /show/configuration
             group vyattaop
         }
         rule 9989 {
             action allow
             command "/clear/*"
             group vyattaop
         }
         rule 9990 {
             action allow
             command "/show/*"
             group vyattaop
         }
         rule 9991 {
             action allow
             command "/monitor/*"
             group vyattaop
         }
         rule 9992 {
             action allow
             command "/ping/*"
             group vyattaop
         }
         rule 9993 {
             action allow
             command "/reset/*"
             group vyattaop
         }
         rule 9994 {
             action allow
             command "/release/*"
             group vyattaop
         }
         rule 9995 {
             action allow
             command "/renew/*"
             group vyattaop
         }
         rule 9996 {
             action allow
             command "/telnet/*"
             group vyattaop
         }
         rule 9997 {
             action allow
             command "/traceroute/*"
             group vyattaop
         }
         rule 9998 {
             action allow
             command "/update/*"
             group vyattaop
         }
         rule 9999 {
             action deny
             command "*"
             group vyattaop
         }
     }
     ruleset {
         rule 1 {
             action allow
             group security
             operation "*"
             path "*"
         }
         rule 9991 {
             group vyattacfg
             operation delete
             path /system/acm
         }
         rule 9992 {
             group vyattacfg
             operation create
             path /system/acm
         }
         rule 9993 {
             group vyattacfg
             operation update
             path /system/acm
         }
         rule 9994 {
             group vyattacfg
             operation update
             path /system/login
         }
         rule 9995 {
             group vyattacfg
             operation delete
             path /system/login
         }
         rule 9996 {
             group vyattacfg
             operation create
             path /system/login
         }
         rule 9999 {
             action allow
             group vyattacfg
             operation "*"
             path "*"
         }
     }
 }