We use Unix authentication for authenticating to Juniper devices with Junos operating system (Junos OS).
This help will describe how to create a custom login class with the least privileges required for scanning, and then associate the scan user account with the custom login class.
Junos OS allows you to grant access or permissions to the commands and configuration hierarchy levels and statements. This enables users to execute only those commands and configure and view only those statements for which they have access privileges. You can use extended regular expressions to specify which operational mode commands, configuration statements, and hierarchies are denied or allowed for users. This prevents unauthorized users from executing or configuring sensitive commands and statements that could potentially cause damage to the network.
Junos OS uses login classes to assign permissions to groups of users. Each user must be part of a login class. You can define a custom login class with the permissions you want to grant to the scan user account. The account must be configured so that it's able to execute the commands that are required for scanning these devices.
For compliance scans:
show interfaces statistics
show configuration|display xml
For vulnerability scans:
show version
cli show version
show bgp summary
cli show bgp summary
show chassis hardware
cli show chassis hardware
The following permissions will provide the least privileges required for scanning devices with Junos OS. This set of permission flags will only allow the scan user account to view information but not modify information.
|
Permission flag |
Description |
|
admin |
Can view user account information in configuration mode and with the show configuration operational mode command. |
|
interface |
Can view the interface configuration in configuration mode and with the show configuration operational mode command. |
|
routing |
Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes. |
|
shell |
Can start a local shell on the router or switch by using the start shell command. |
|
snmp |
Can view Simple Network Management Protocol (SNMP) configuration information in configuration and operational modes. |
|
system |
Can view system-level information in configuration and operational modes. |
|
view |
Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration. |
Follow the steps below to create a custom login class and provide permissions (least privilege) at different hierarchy levels. Then add the scan user account to this class.
1) Create custom login class. In this example, the new custom class is "mytestclass". Here's an example:
[edit system login]
root@pcavmx14# edit class mytestclass ?
Possible completions:
<[Enter]> Execute this command
| Pipe through a command
2) Go to the new custom login class. Here's an example:
[edit system login class mytestclass]
root@pcavmx14# set permissions ?
Possible completions:
[ Open a set of values
access Can view access configuration
access-control Can modify access configuration
admin Can view user accounts
admin-control Can modify user accounts
all All permission bits turned on
clear Can clear learned network info
configure Can enter configuration mode
control Can modify any config
field Can use field debug commands
firewall Can view firewall configuration
firewall-control Can modify firewall configuration
floppy Can read and write the floppy
flow-tap Can view flow-tap configuration
flow-tap-control Can modify flow-tap configuration
3) Use the following command to assign required permissions to the custom login class. You can give multiple permission flags in one command, or use separate commands.
[edit system login class mytestclass]
root@comvmx14# set permissions interface permissions system permissions snmp permissions routing permissions view permissions shell permissions admin
4) Create scan user account and associate it with the custom login class. In the following example, we'll associate the user "scanuser" with the custom class "mytestclass". Note that we've given only read permissions with different permission flags to this class/user. This means the user will not be able to modify information.
[edit system login]
root@comvmx14# set user scanuser class mytestclass