topic Query Multi-Domain Super Users in API / CLI Discussion

Query Multi-Domain Super Users

Mike_A — Tue, 18 Dec 2018 16:03:03 GMT

Hello,

Is there any API command to show only multi-domain super users? I have been unable to find one.

If there is not, I'm wondering how others, for auditing purposes, obtain a list of admins who have read/write access, if any are willing to share their methods.

Re: Query Multi-Domain Super Users

Joshua_Hatter — Tue, 18 Dec 2018 19:53:01 GMT

Use show-administrators against MDS with details-level full and parse for the relevant profile.

Short python example.

Re: Query Multi-Domain Super Users

Danny — Wed, 19 Dec 2018 08:08:53 GMT

Or just run mdsconfig

Re: Query Multi-Domain Super Users

Mike_A — Wed, 19 Dec 2018 10:59:16 GMT

Thanks Joshua! I'll give this a shot but I believe this will give the desired result.

Re: Query Multi-Domain Super Users

Mike_A — Wed, 19 Dec 2018 11:13:40 GMT

Danny,

Thanks. I'm looking for a way to automate and gather this information on a reoccurring basis without the intervention of my team. By using 'mdsconfig', or a screen shot from SmartConsole, we are inherently forcing the team to manually perform these tasks when the auditors ask. With the API I was hoping to write a script, or in this case harvest Joshua's, and run this job every quarter and email out the results.

Re: Query Multi-Domain Super Users

Danny — Wed, 19 Dec 2018 12:54:39 GMT

Mike,

mdsconfig is just an interactive tool to quickly access various Check Point commands.

Your interest is in option 6 - Administrators which simply executes mdsquerydb.

Example:

mdsquerydb Administrators‍‍‍‍‍‍‍

Addtional queries to collect the admin type can be configured within $MDSDIR/conf/queries.conf

So a simple One-liner added as cron job via GAiA's built-in job scheduler would easily address your needs to send you the list as a mail.

mdsquerydb Administrators | $FWDIR/bin/sendmail -s 'Multi-Domain Super Users' -t MAILSERVER -f SENDER_EMAIL_ADDRESS RECEIVER_EMAIL_ADDRESS;‍‍‍‍‍‍‍

In order to run a python ($FWDIR/Python/bin/python) script you would first need to whitelist it within /etc/fw/conf/whitelist to be able to run it.

Re: Query Multi-Domain Super Users

Mike_A — Wed, 19 Dec 2018 13:56:34 GMT

Danny,

The 'mdsquerydb Administrators' will output the list of names, I modified the queries.conf file and added "type" after the __name__ attribute. The response I get when adding "type" is 'mike-andretta pv1_administrator' for every user. Im looking at sk65181 at the various attributes that could be used in queries.conf but it does not look like, other than type, there is an attribute that will show more of a "Profile Type" which would indicate the Domain Manager vs Multi-Domain Super User.

Am I missing an attribute that would give me more of what im looking for by using mdsquerydb?

Re: Query Multi-Domain Super Users

Mike_A — Wed, 19 Dec 2018 16:07:44 GMT

Danny,

I was able to find "msp_perm" that is returning a number. It looks like 2x numbers are possibly returned, in my scenario 80000000 which looks to equal super user and 10000000 which matches up with my Domain Managers. Is there a better way, table/attribute, to gather this information?

[Expert@XXXX:0]# cat $MDSDIR/conf/queries.conf | grep Admin
MDS "mdsdb" Administrators attr pv1_administrators "" __name__,msp_perm # Get names of all Administrators

[Expert@XXXX:0]# mdsquerydb Administrators | grep mike-andretta
mike-andretta 80000000