Configuring Read Only Admin User

[Neo]

Hey everyone.

I'm new to the forum and new to OpnSense (but not new to firewalls, networking, etc.) and this is my first post here. I have done some searching both via google and on the forums here and was surprised not to find much on this topic. I hope this is the correct place to ask this question and that I have not missed something obvious either in the configuration or in my searches...

I've been working with my nephew to deploy OpnSense for a "home lab" scenario. This started as an exploration of open source firewall alternatives and now I'm ready to put something into "production" with real traffic and devices behind it and, as such, I'm starting to lock things down and harden the configuration...

As part of this I wanted to configure an admin user (for my nephew) with read only privileges that can view all of the pages and logs and such but cannot make changes to the configuration. I did this for him on my SonicWALL originally so he could learn stuff and even help me troubleshoot (but without me having to worry about him making unauthorized changes or playing whack-a-mole trying to solve a problem)...

So far, I've created a group called "view" and started setting up GUI privileges but it seems like certain pages allow editing or seem to be all-or-nothing (see and edit or don't see at all)... Perhaps I don't understand exactly how this works or what the limitations are but before I spent too much more time on it I thought I'd ask if there is a guide or set of recommendations for creating a read only "admin" that can see everything but not change it.

Perhaps there is a simple way of doing that I'm just missing?

Also, on a somewhat related note, I'm looking for a guide on how best to harden the OpnSense configuration. I've set a strong password on root, created a separate user with full admin privileges for myself, made sure SSH is not enabled, etc. but I'm still fairly new to OpnSense and not feeling 100% confident I have not missed something. I've also not attempted to setup MFA at this point (yet).

Thanks.

[Fright]

hi
imho you're doing everything right.
to my impressions, the ACL functions are not used so often, therefore it is not so granular and polished (more feedback - more improvements)
the main parameter for setting read-only mode is "User   System: Deny config write"

[Neo]

I think I have a configuration that is 'functional' for my purpose at this point (see below). However, I'd like to have control over the Reporting section (specifically to be able to remove access to the Reporting:Settings page) and I'd like to be able to allow viewing of Services without having to allow Start/Stop/Reset...

Also, after more research it appears the "User System: Deny config write" privilege may be deprecated as a warning is presented when selected it that it may be removed in a future release...

This thread discusses the topic 2 years ago, before the release of 19.7 and indicates that, from a development perspective, "The 'privilege' to take away privilege is deeply flawed from the get go..."
https://forum.opnsense.org/index.php?topic=12039.0

This makes we wonder what the future is for creating/maintaining this type of access... While it might not be something used often for home lab environments I would think there is a fair amount of merit for it's use in various company / production environments. So, I'd be pleased to know what the developers think about this and what direction they see taking on it in the future.

Below is what I've come up with thus far...

Type   Name
GUI   Lobby: Login / Logout / Dashboard
GUI   Dashboard (widgets only)
GUI   Diagnostics: ARP Table
GUI   Diagnostics: Configuration History
GUI   Diagnostics: Logs: Firewall: Live View
GUI   Diagnostics: Logs: Firewall: Plain View
GUI   Diagnostics: Logs: Firewall: Summary View
GUI   Diagnostics: Logs: Gateways
GUI   Diagnostics: Logs: System
GUI   Diagnostics: Netstat
GUI   Diagnostics: Network Insight
GUI   Diagnostics: Packet Capture
GUI   Diagnostics: PF Table IP addresses
GUI   Diagnostics: pfInfo
GUI   Diagnostics: pfTop
GUI   Diagnostics: Ping
GUI   Diagnostics: Routing tables
GUI   Diagnostics: Show States
GUI   Diagnostics: States Summary
GUI   Diagnostics: System Activity
GUI   Diagnostics: System Health
GUI   Diagnostics: Test Port
GUI   Diagnostics: Traceroute
GUI   Firewall: NAT: Outbound
GUI   Firewall: Rules
GUI   Status: DHCP leases
GUI   Status: Interfaces
GUI   Status: IPsec
GUI   Status: NTP
GUI   Status: OpenVPN
GUI   Status: Services
GUI   Status: System logs: IPsec VPN
GUI   Status: System logs: NTP
GUI   Status: System logs: OpenVPN
GUI   Status: System logs: Routing
GUI   Status: Traffic Graph
User   System: Deny config write
GUI   System: Gateway Groups
GUI   System: Gateways