accounting on the PIX

Unanswered Question
Sep 14th, 2010

Hello everyone.

I have a question about accounting on the PIX.

I understand that it old device, however we one. I want to logging any command which was executed during ssh session through accounting feature.

aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Auth

But it logged only amount of traffic pass-thru, not the activities. (Actually it perfectly work on other devices such as modern catalysts)

I have founded the question on this forums but at May 11, 2003 (https://supportforums.cisco.com/message/855167#855167)

They said that this feature does work on PIX.

We use last version IOS PIX Version 8.0(4) (11-AUG-2008)

May be someting has changed since 2003

I need exactly does this feature exist on the PIX or not?

Please, help me find out.

Best Regards,

Denis

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vinay Sharma Wed, 09/22/2010 - 06:07

Hi Denis,

you can try one thing, i guess it should work because according to the document:-

Configuring Command Accounting

You can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI. If you customize the command privilege level using the privilege command (see the "Assigning Privilege Levels to Commands and Enabling Authorization" section),  you can limit which commands the security appliance accounts for by  specifying a minimum privilege level. The security appliance does not  account for commands that are below the minimum privilege level.

To enable command accounting, enter the following command:

hostname(config)# aaa accounting command [privilege level] server-tag

Where level is the minimum privilege level and server-tag is the name of the TACACS+ server group that to which the security  appliance should send command accounting messages. The TACACS+ server  group configuration must already exist. For information about  configuring a AAA server group, see the "Identifying AAA Server Groups and Servers" section on page 13-12.

As far as i know the AAA accounting available on PIX 7.x for Managing System Access is Command Accounting.
Please refer following link to configure Command accounting on the device for Administrative access, such as telnet, ssh etc. Here's a sample configuration for PIX 7.2:-

aaa accounting http console mytacgroup
aaa accounting serial console mytacgroup
aaa accounting telnet console mytacgroup
aaa accounting ssh console mytacgroup
aaa accounting enable console mytacgroup
aaa accounting command mytacgroup

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1059882

thanks,

Vinay

amitaaga Fri, 09/24/2010 - 13:29

Hi Denis,

It seems that you are looking to do command accounting for ssh sessions passing through the firewall. If that is the case then accounting information will only include when sessions  start and stop, username, the number of bytes that pass through the  security appliance for the session, the service used, and the duration  of each session.Unfortunately, for such sessions you will not be able to do command accounting.

Please refer to the link given below for more info:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535516

However, it is possible to know the commands (besides show commands) executed by a user logging directly into the firewall by configuring command accounting using the following command:

aaa accounting command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1535253

Hope it helps.

Thanks,

Amitashwa

Actions

This Discussion