Configuration considerations, Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

26

Configuration considerations

The configuration in this example includes two parts:

Step1

Logging in to the device as the system administrator

•

Enable the saving of the security logs into the security log file and set the frequency with which the

system saves the security log file to one hour.

•

Create a local user seclog with the password 123123123123, and authorize this user as the
security log administrator. That is, you need to use the authorization-attribute command to set

the user privilege level to 3 and specify the user role as security audit. In addition, specify the
service types that the user can use by using the service-type command.

•

Set the authentication mode to scheme for the user logging in to the device, and ensure that only

the local user that has passed the AAA local authentication can view and perform operations on the

security log file.

Step2

Logging in to the device as the security log administrator

•

Set the directory for saving the security log file to cfa0:/securitylog/seclog.log.

•

View the contents of the security log file to get the security status of the device.

•

Back up the security log file to the FTP server.

Configuration procedure

Step1

Configuration performed by the system administrator

# Enable the saving of the security logs into the security log file and set the frequency with which the

system automatically saves the security log file to one hour.

system-view

[Sysname] info-center security-logfile enable

[Sysname] info-center security-logfile frequency 3600

# Create a local user seclog, and configure the password for the user as 123123123123.

[Sysname] local-user seclog

New local user added.

[Sysname-luser-seclog] password simple 123123123123

# Authorize the user to manage the security log file.

[Sysname-luser-seclog] authorization-attribute level 3 user-role security-audit

# Authorize the user to use SSH, Telnet, and terminal services.

[Sysname-luser-seclog] service-type ssh telnet terminal

[Sysname-luser-seclog] quit

# According to the network plan, the user will log in to the device through SSH or telnetting, so you need
to configure the authentication mode of the VTY user interface as scheme.

[Sysname] display user-interface vty ?

INTEGER<0-4> Specify one user terminal interface

The above information indicates that the device supports five VTY user interfaces, which are numbered
0 through 4.

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] authentication-mode scheme

[Sysname-ui-vty0-4] quit

Step2

Configuration performed by the security log administrator