Jump to content
Welcome to our new Citrix community!

Citrix ADC read-only on configuration but be able to generate and download trace and support bundle

Recommended Posts

You might be able to grant access to the nstrace to a limited rights user but downloads have some file transfer dependencies that need broader rights than you might like.


This is not your exact scenario, but explains some of the command granularity needed which might help you solve your scenario for the nstrace rights.  (For certs management and uploads/downloads).  Also shows attempt at restricting the file command to only certain directories for certs (which could be adjusted for the trace directories.)

It might get you in the ballpark for your nstrace rights and its file transfer considerations.  But also shows the limits of what we could and couldn't restrict.


The portion on the "file" command is likely needed to download the trace files and that's where I thin your going to have possibly more rights than you intend.




Link to comment
Share on other sites

Bottom line commands that deal with the file system, viewing the file system, and shell get messy and potentially risky. (See notes in the cert one I referenced above.)


But here's a quick test of what you might be able to do for a "nstrace admin":


Again, review to make sure expression is strict enough for your requirements. I'm not guaranteeing this is the most restrictive regex or that it can't be exploited more.


Example 1:  Basic Rights to run nstrace (via System > Diagnostics > Start new trace) and download/view traces via System > Diagnostics > Delete/Download Trace Files.

You should be able to create a cmd policy like this to allow a user to run (start/stop nstrace) and view/download files only from the /var/nstrace directories. Note, you can't download folders even as a superuser and have to open directory to go to individual files.   You can add this as a policy in addition to the read-only rights (which is assumed for the below to work).

(^(start|stop) nstrace.*)|(^(add|show) system file.* -fileLocation "/var/nstrace/.*")


The above doesn't allow the nstrace admin to delete traces.  See notes in Example 2 below, because that gets messier.


This command is missing one more thing executed in the gui when the trace executes:

This line is also denied:  "shell ls /var/nstrace/<tracedirname>/.inprogress"

I don't think this is needed and I would hesitate to grant access to shell, but this is what makes interactions with the file system/shell tricky.  I did not confirm data in trace file was valid or was even written out.  I think this is just a progress indicator in the gui.


Example 2: Trying to delete is complicated...

I tried with this variant...

(^(start|stop) nstrace.*)|(^(add|show) system file.* -fileLocation "/var/nstrace/.*")|(^rm system file.* -fileLocation "/var/nstrace.*")


BUT the actual deletion command triggered for a directory or file (in the delete nstrace option) by a full admin involves all of these additional events, which are not accounted for above.:

<audit log excerpt>

rm system file 19Nov2021_02_54_50 -fileLocation "/var/nstrace"" - Status "ERROR: File operation failed"

show ns config" - Status "Success"
show system file -fileLocation "/var/nstrace/"" - Status "Success"
show system file -fileLocation "/var/nstrace/"" - Status "Success"
sftp-server" - Status "Success"
show system file -fileLocation "/var/nstrace/"" - Status "Success"
show system file -fileLocation "/var/nstrace/"" - Status "Success"


The partial admin rights above do not allow for the sftp-server invocation.  So without additional customization the restricted admin cannot delete. I would recommend avoid this requirement.





Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...