Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Configuring Read Only Admin User
« previous
next »
Print
Pages: [
1
]
Author
Topic: Configuring Read Only Admin User (Read 4151 times)
Neo
Newbie
Posts: 14
Karma: 1
Configuring Read Only Admin User
«
on:
March 13, 2021, 03:43:30 am »
Hey everyone.
I'm new to the forum and new to OpnSense (but not new to firewalls, networking, etc.) and this is my first post here. I have done some searching both via google and on the forums here and was surprised not to find much on this topic. I hope this is the correct place to ask this question and that I have not missed something obvious either in the configuration or in my searches...
I've been working with my nephew to deploy OpnSense for a "home lab" scenario. This started as an exploration of open source firewall alternatives and now I'm ready to put something into "production" with real traffic and devices behind it and, as such, I'm starting to lock things down and harden the configuration...
As part of this I wanted to configure an admin user (for my nephew) with read only privileges that can view all of the pages and logs and such but cannot make changes to the configuration. I did this for him on my SonicWALL originally so he could learn stuff and even help me troubleshoot (but without me having to worry about him making unauthorized changes or playing whack-a-mole trying to solve a problem)...
So far, I've created a group called "view" and started setting up GUI privileges but it seems like certain pages allow editing or seem to be all-or-nothing (see and edit or don't see at all)... Perhaps I don't understand exactly how this works or what the limitations are but before I spent too much more time on it I thought I'd ask if there is a guide or set of recommendations for creating a read only "admin" that can see everything but not change it.
Perhaps there is a simple way of doing that I'm just missing?
Also, on a somewhat related note, I'm looking for a guide on how best to harden the OpnSense configuration. I've set a strong password on root, created a separate user with full admin privileges for myself, made sure SSH is not enabled, etc. but I'm still fairly new to OpnSense and not feeling 100% confident I have not missed something. I've also not attempted to setup MFA at this point (yet).
Thanks.
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: Configuring Read Only Admin User
«
Reply #1 on:
March 13, 2021, 07:22:47 am »
hi
imho you're doing everything right.
to my impressions, the ACL functions are not used so often, therefore it is not so granular and polished (more feedback - more improvements)
the main parameter for setting read-only mode is "User System: Deny config write"
Logged
Neo
Newbie
Posts: 14
Karma: 1
Re: Configuring Read Only Admin User
«
Reply #2 on:
March 17, 2021, 09:31:03 pm »
I think I have a configuration that is 'functional' for my purpose at this point (see below). However, I'd like to have control over the Reporting section (specifically to be able to remove access to the Reporting:Settings page) and I'd like to be able to allow viewing of Services without having to allow Start/Stop/Reset...
Also, after more research it appears the "User System: Deny config write" privilege may be deprecated as a warning is presented when selected it that it may be removed in a future release...
This thread discusses the topic 2 years ago, before the release of 19.7 and indicates that, from a development perspective, "The 'privilege' to take away privilege is deeply flawed from the get go..."
https://forum.opnsense.org/index.php?topic=12039.0
This makes we wonder what the future is for creating/maintaining this type of access... While it might not be something used often for home lab environments I would think there is a fair amount of merit for it's use in various company / production environments. So, I'd be pleased to know what the developers think about this and what direction they see taking on it in the future.
Below is what I've come up with thus far...
Type Name
GUI Lobby: Login / Logout / Dashboard
GUI Dashboard (widgets only)
GUI Diagnostics: ARP Table
GUI Diagnostics: Configuration History
GUI Diagnostics: Logs: Firewall: Live View
GUI Diagnostics: Logs: Firewall: Plain View
GUI Diagnostics: Logs: Firewall: Summary View
GUI Diagnostics: Logs: Gateways
GUI Diagnostics: Logs: System
GUI Diagnostics: Netstat
GUI Diagnostics: Network Insight
GUI Diagnostics: Packet Capture
GUI Diagnostics: PF Table IP addresses
GUI Diagnostics: pfInfo
GUI Diagnostics: pfTop
GUI Diagnostics: Ping
GUI Diagnostics: Routing tables
GUI Diagnostics: Show States
GUI Diagnostics: States Summary
GUI Diagnostics: System Activity
GUI Diagnostics: System Health
GUI Diagnostics: Test Port
GUI Diagnostics: Traceroute
GUI Firewall: NAT: Outbound
GUI Firewall: Rules
GUI Status: DHCP leases
GUI Status: Interfaces
GUI Status: IPsec
GUI Status: NTP
GUI Status: OpenVPN
GUI Status: Services
GUI Status: System logs: IPsec VPN
GUI Status: System logs: NTP
GUI Status: System logs: OpenVPN
GUI Status: System logs: Routing
GUI Status: Traffic Graph
User System: Deny config write
GUI System: Gateway Groups
GUI System: Gateways
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Configuring Read Only Admin User