Service Account - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Appendix A System Architecture
•
Note The service role is a special role that allows you to bypass the CLI if needed. Only a user with
Administrator privileges can edit the service account.

Service Account

The service account is a support and troubleshooting tool that enables TAC to log in to a native operating
system shell rather than the CLI shell. It does not exist on the sensor by default. You must create it so
that it available for TAC to use for troubleshooting your sensor. For the procedure to create the service
account, see
Only one service account is allowed per sensor and only one account is allowed a service role. When the
service account's password is set or reset, the root account's password is set to the same password. This
allows the service account user to su to root using the same password. When the service account is
removed, the root account's password is locked.
The service account is not intended to be used for configuration purposes. Only modifications made to
the sensor through the service account under the direction of TAC are supported. Cisco Systems does not
support the addition and/or running of an additional service to the operating system through the service
account, because it affects proper performance and proper functioning of the other IPS services. TAC
does not support a sensor on which additional services have been added.
You can track logins to the service account by checking the log file /var/log/.tac, which is updated with
a record of service account logins.
IPS 5.0 incorporates several troubleshooting features that are available through the CLI or IDM. The
Note
service account is not necessary for most troubleshooting situations. You may need to create the service
account at the TAC's direction to troubleshoot a very unique problem. The service account lets you
bypass the protections built into the CLI and allows root privilege access to the sensor, which is
otherwise disabled. We recommend that you do not create a service account unless it is needed for a
specific reason. You should remove the service account when it is no longer needed.
78-16527-01
Service—This user role does not have direct access to the CLI. Service account users are logged
directly into a bash shell. Use this account for support and troubleshooting purposes only.
Unauthorized modifications are not supported and will require the device to be reimaged to
guarantee proper operation. You can create only one user with the service role.
When you log in to the service account, you receive the following warning:
******************************* WARNING *****************************************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
This account is intended to be used for support and troubleshooting purposes only.
Unauthorized modifications are not supported and will require this device to be
re-imaged to guarantee proper operation.
*********************************************************************************
Creating the Service Account, page
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
4-13.
CLI
A-29