All scripts
fault
Advanced
~5 min

AAA / TACACS+ Audit Engine

AAA security audit: TACACS+ log parsing with failed attempt correlation, privilege escalation detection, session anomaly scoring, off-hours access alerting, RBAC policy gap analysis, and compliance reporting.

cisco-ios
cisco-nxos
juniper
arista
Open in GeneratorOpen in Platform
You're viewing a preview

The full script, parameters, and execution console are available with a free account.

Already have access? Sign in โ†’

Capabilities

  • TACACS+
  • AAA
  • Auth log
  • Privilege escalation
  • RBAC
  • TACACS log parsing

Required inputs

Parameters the script accepts. Defaults shown; some are vendor- or context-gated.

ParameterTypeDefaultNotes
Lookback Hours
window_hours
number24โ€”
Failed Attempt Threshold
fail_threshold
number5โ€”

Hint 1 โ€” Name your vendors and OS versions

Mention the exact platforms you run (cisco-ios, cisco-nxos, juniper, โ€ฆ) so the generated fault logic uses the right CLI/NETCONF syntax.

Hint 2 โ€” State your real thresholds

Provide concrete values for Lookback Hours, Failed Attempt Threshold instead of the defaults โ€” they shape what counts as a fault.

Hint 3 โ€” Prioritize the checks you need

This tool can tACACS+ and aAA. Ask for the subset relevant to your incident to keep output focused.

Hint 4 โ€” Describe your inventory format

Tell the assistant whether your device list is CSV, YAML, or JSON and which columns it has, so parsing matches your data.

Sample inventory schema

Authoritative shape of the device/policy data this script consumes.

No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.

Expected output

Reference terminal output the script should produce โ€” used as a stylistic and structural target.

terminal
[INFO] Pulled 24h of AAA logs (TACACS+ + RADIUS)
[CRIT] User 'admin' from 203.0.113.5: 47 failed attempts in 10min
[WARN] 3 service accounts used outside business hours
[CRIT] Privilege escalation: user 'opsro' executed 'configure terminal' (no priv 15)
[OK]   No expired passwords currently in use