In some organizations, there may be more than one firewall administrator for the Security Appliances. In those instances, you can provide those other admins with full rights/privileges to the Security Appliances or curtail their ability to accomplish their assigned functions, thereby reducing the chance of unintended (or sometimes malicious) events from occurring on the firewall(s). The PIX operating system provides a mechanism of controlling what type of command a user can execute.
The Security Appliance software version 6.2 and higher supports up to 16 privilege levels.
This is similar to what is available with IOS Software. With this feature, you can assign Security Appliance commands to one of 16 levels, 0 through 15.
When commands and users have privilege levels set, the two levels are compared to determine if a given user can execute a given command. If the user’s privilege level is lower than the privilege level of the command, the user is prevented from executing the command.
In the default configuration, each Security Appliance command is assigned to either privilege level 0 or privilege level 15.
The privilege command sets user-defined privilege levels for Security Appliance commands:
[nnonnooo] pppprrirriiivvivviiilllleegeegggee ee [sssshhhhoooowwww | cclccllleeaeeaaarrrr | ccccoooonnfnnfffiigiiggguuuurrrreeee] llelleeevvvveeeellll level
[mmommoooddeddeee enable | configure] ccccoomoommmmmammaaannnndddd command
Table 4-2 shows the description of the privilege command parameters.
Command-Level Authorization 83
For example, the following commands set the privilege of the different command modifiers of the access-list command:
The first line sets the privilege of show access-list (show modifier of command access-list) to 9. The second line sets the privilege level of the configure modifier to 11, and the last line sets the privilege level of the clear modifier to 10.
To set the privilege of all the modifiers of the access-list command to a single privilege level of 10, you would enter the following command:
P P
PPrrrriiviivvviiliillleeeeggggeeee lllleeveevvveeeellll 11011000 ccccoooommmmmmmmaanaannndd dd aacaaccccccceeseesssss-ss---llilliiisssstttt
Once you have selected the commands for which you want to change the default privileges, you enable the command authorization feature to either LOCAL or TACACS+. The following command enables the command authorization feature to LOCAL:
a aa
aaaaaaa aa aauaauuutttthhhhoooorrirriiizzazzaaattttiiiioooonn nn ccoccooommmmmmmmaaaanndnnddd LLLLOOCOOCCCAAAALLLL
Table 4-2 Privilege Command Parameter Descriptions
Parameter Description
show Sets the privilege level for the show command corresponding to the command specified.
clear Sets the privilege level for the clear command corresponding to the command specified.
configure Sets the privilege level for the configure command corresponding to the command specified.
level Specifies the privilege level.
level The privilege level, from 0 to 15. (Lower numbers are lower-privilege levels.) mode For commands that are available in multiple modes, use the mode parameter to
specify the mode in which the privilege level applies.
enable For commands with both enable and configure modes, this indicates that the level is for the enable mode of the command.
configure For commands with both enable and configure modes, this indicates that the level is for the configure mode of the command.
command The command to allow.
command The command on which to set the privilege level.
To define a user account in the LOCAL database, enter the following command:
U U
UUssesseeerrrrnnannaaammemmeee username {nnnnoopoopppaasaassssssswwwwoooorrdrrddd | ppppaaaasssssssswwowwooorrdrrddd password [eeeenncnncccrryrryyypppptttteeeedd]} [pdd ppprrrriiviivvviiliillleeeeggggeeee level]
Table 4-3 shows the description of the parameters of the username command.
When users log in to Security Appliance, they can enter any command assigned to their privilege level or to lower privilege levels. For example, a user account with a privilege level of 15 can access every command because this is the highest privilege level. A user account with a privilege level of 0 can access only the commands assigned to level 0.
For example, the following command assigns a privilege level of 10 to the user account Fwadmin2:
u uu
ussesseeerrrrnnannaaammemmeee FFFFwwwwaadaadddmmimmiiinn2nn222 ppppaaaasssssssswwowwooorrrrdddd ccsccsssppfppfffaaaa2222eeeedd dd pprpprrriiiivvvviiiillelleeeggeggeee 11110000
If no privilege level is specified, the user account is created with a privilege level of 2. You can define as many user accounts as you need. If you are not sure what the privilege level assigned to commands is, use the show running-config privilege all command to view the assignments.
To view the privilege level assignment of a specific command, enter the following command:
s s
sshhohhooowwww rrrruunuunnnnninniiinnnngg-gg---ccoccooonnfnnfffiiiigggg pprpprrriiviivvviiiilllleeeeggeggeee ccccoooommmmmmmmaanaannndd dd command
Replace command with the command for which you want to display the assigned privilege level. For example, the following command displays the command assignment for the capture command:
PXFW01# sshsshhhooooww ww rrurruuunnnnnnnniiiinnnngggg--c--cccoonoonnnffffiiiigggg pppprrirriiivvvviiiilllleegeegggee ee ccccoooommmmmmammaaanndnnddd ccccaaaapptpptttuuruurrreeee privilege show level 15 command capture
privilege clear level 15 command capture privilege configure level 15 command capture
Another useful command to see privilege level is the show curpriv command. This displays the current privilege level. The following examples show output from the show curpriv command for a user named noc_ops. Username indicates the name the user entered when he
Table 4-3 Parameters of the username Command
Keyword/Parameter Description
username Name of the user (character string from 4 to 15 characters long).
password Password (a character string from 3 to 16 characters long).
level The privilege level you want to assign (0–15).
nopassword Use this keyword to create a user account with no password.
encrypted Use this keyword to encrypt your keyword.
P_CONF indicates the user has entered the config terminal command:
PIXFW01(config)# sssshhohhoooww ww ccccuuruurrrpprpprrriiviivvv Username : noc_ops
Current privilege level : 15 Current Mode/s : P_PRIV P_CONF pixfirewall(config)# exit
To change between privilege levels, use the login command to access another privilege level and the disable command to exit that level.