- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: Query Multi-Domain Super Users
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query Multi-Domain Super Users
Hello,
Is there any API command to show only multi-domain super users? I have been unable to find one.
If there is not, I'm wondering how others, for auditing purposes, obtain a list of admins who have read/write access, if any are willing to share their methods.
- Labels:
-
Multi Domain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use show-administrators against MDS with details-level full and parse for the relevant profile.
Short python example.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Joshua! I'll give this a shot but I believe this will give the desired result.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or just run mdsconfig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Danny,
Thanks. I'm looking for a way to automate and gather this information on a reoccurring basis without the intervention of my team. By using 'mdsconfig', or a screen shot from SmartConsole, we are inherently forcing the team to manually perform these tasks when the auditors ask. With the API I was hoping to write a script, or in this case harvest Joshua's, and run this job every quarter and email out the results.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mike,
mdsconfig is just an interactive tool to quickly access various Check Point commands.
Your interest is in option 6 - Administrators which simply executes mdsquerydb.
Example:
mdsquerydb Administrators
Addtional queries to collect the admin type can be configured within $MDSDIR/conf/queries.conf
So a simple One-liner added as cron job via GAiA's built-in job scheduler would easily address your needs to send you the list as a mail.
mdsquerydb Administrators | $FWDIR/bin/sendmail -s 'Multi-Domain Super Users' -t MAILSERVER -f SENDER_EMAIL_ADDRESS RECEIVER_EMAIL_ADDRESS;
In order to run a python ($FWDIR/Python/bin/python) script you would first need to whitelist it within /etc/fw/conf/whitelist to be able to run it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Danny,
The 'mdsquerydb Administrators' will output the list of names, I modified the queries.conf file and added "type" after the __name__ attribute. The response I get when adding "type" is 'mike-andretta pv1_administrator' for every user. Im looking at sk65181 at the various attributes that could be used in queries.conf but it does not look like, other than type, there is an attribute that will show more of a "Profile Type" which would indicate the Domain Manager vs Multi-Domain Super User.
Am I missing an attribute that would give me more of what im looking for by using mdsquerydb?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Danny,
I was able to find "msp_perm" that is returning a number. It looks like 2x numbers are possibly returned, in my scenario 80000000 which looks to equal super user and 10000000 which matches up with my Domain Managers. Is there a better way, table/attribute, to gather this information?
[Expert@XXXX:0]# cat $MDSDIR/conf/queries.conf | grep Admin
MDS "mdsdb" Administrators attr pv1_administrators "" __name__,msp_perm # Get names of all Administrators
[Expert@XXXX:0]# mdsquerydb Administrators | grep mike-andretta
mike-andretta 80000000