tac_plus.2.1 and mSQL-1.0.x

Uncategorized 2 Minutes

[Now there exists a version 3.x of tac_plus from cisco, so info presented herein may not be of value to you.]

After several emails that I received from the tacplus-l@disaster.com subscribers on how I merged tacplus and mSQL, I decided to place some notes here. I cannot place the actual code, as I am not sure about the copyright issues, so I’ll do my best:

[Note: This is in no way a complete document, but it is better than nothing.]

Developement Tools and Environment

  • gcc-2.7.2
  • cisco tacplus.2.1
  • mSQL-1.0.16
  • HP-UX 9.04 (s800)
  • Solaris 2.5 (SPARC)
  • IOS 11.x

Why mSQL?

mSQL-1.0.x although lightweight, is heavily tested and stable. Our other choises were SYBASE and Postgres95 but both were very heavy for the available hardware at that time. Anyway, tacplus.2.1 can operate with any DBMS you like doing the same changes proposed here.

Code changes

  • Minor changes to Makefile for -I/usr/local/Minerva/include and -L/usr/local/Minerva/lib -lmsql to be included.
  • #include <msql.h;> to every sql related hacked .c and .h file.
  • Added a check_rules() function so that when the user is verified by the normal tac_plus procedure and things are OK, the new rules start checking and enforcing. check_rules() is called in default_fn.c after line 138 and if data->status != TAC_PLUS_AUTHEN_STATUS_FAIL. check_rules() is used to enforce any policy that cannot be otherwise enforced by vanilla tac_plus.
  • Added some code to divert accounting to mSQL after line 99 of do_acct.c Basically the code checks for the AV pairs service=exec and service=shell (which are the same but for different IOS releases: 10.x and 11.x). In fact the whole of do_acct.c could easily be rewritten to support mSQL or any other DBMS that you like.
  • Estimated coding time: 6 hours.

Database design

Because this project was developed in a very short timeframe, no regular analysis was conducted and all kinds of features required, were built on an add-hoc basis. This means that for almost every new feature to be added and proccessed, a new table is almost always created- which is bad practice. Experience gained though will lead to a full featured, well designed system when this can no longer function.

The schema is spaggeti-like and the only thing worth noting is that currently logged in users are kept in a table and every new login is checked against it. If the user attempting to login is already logged in, the session is dropped and logged for (possible) further investigation.

The whole system is supported by a number of scripts in ksh and perlMsql that are run by cron and reset values or extract statistics.

There you have it…

Acknowledgements

I would like to thank Panagiotis Christias and Panagiotis Sebos for their help and comments during the developement, testing and evolvement of this project.

If you have any suggestions and/or comments, email me at: Y.Adamopoulos@noc.ntua.gr.

Unknown's avatar

Published by adamo

I am a Greek DevOps Engineer ranting about everything, from email to sports; to living in Athens, Greece.

Published

Leave a comment