Audit for CLI commands executed via NETCONF

hroshan · December 12, 2022, 3:38pm

I have enabled audit for login/logout/CLI commands executed by enabling /confdConfig/logs/auditLog. I have also subscribed to audit notifications (NOTIF_AUDIT) in a script to read these notifications.

I don’t see notifications for operations executed via NETCONF (both configuration changes as well as operational commands like actions/RPCs are missing).
I also don’t see any log symbols(in confd_logsyms.h) for audit events created via NETCONF.

How can I enable audit notifications for operations done via NETCONF?

I tried subscribing to NOTIF_NETCONF to check if this satisfies my need, but it seems to be too high-level when compared to NOTIF_AUDIT and doesn’t for e.g. give the exact configuration change involved.

nabil · December 13, 2022, 11:30pm

Hello,

I am not able to see this issue in my setup (Using ConfD 7.7 and the example that comes with ConfD, under: $CONFD_DIR/examples.confd/misc/notifications).

Maybe you have a missing handling of the NETCONF related ConfD notifications in your code. See:

            case CONFD_NOTIF_DAEMON:
            case CONFD_NOTIF_NETCONF:
            case CONFD_NOTIF_DEVEL:
            case CONFD_NOTIF_JSONRPC:
            case CONFD_NOTIF_WEBUI:
                printf("syslog: sym=%d/%s prio=%d msg=%s\n",
                       n.n.syslog.logno,
                       confd_log_symbols[n.n.syslog.logno],
                       n.n.syslog.prio,
                       n.n.syslog.msg);
                break;

Please use the example confd_notifications to reproduce the issue in your setup.

Regards,
Nabil Michraf

hroshan · December 16, 2022, 6:31am

@nabil
I had included “CONFD_NOTIF_NETCONF” flag as well, but I seem to have missed looking at some notifications the last time and now that I check again, I see the notifications for NETCONF operations as well. Thanks!

I still don’t see the actual configuration changes done as part of a commit in the notifications when subscribed to CONFD_NOTIF_NETCONF. However, I have been able to get this information from another place i.e. the audit notifications (CONFD_NOTIF_AUDIT) by enabling “/confdConfig/logs/auditLogCommit” setting.

In one place I would like to see some more information, please let me know if there is any way I can achieve this:
When I execute an action via NETCONF, I don’t see the input parameters for the action.
For e.g. this is the YANG model for the action.

      action create {
        tailf:info "Backup single configuration";
        tailf:exec "/usr/libexec/confd/backup-single-config"

        description
          "Takes a single backup of the configuration and stores it,
           locally and/or on a configured remote host.";

        input {
          leaf local {
            type empty;
          }
          leaf remote {
            type leafref {
              path "../../../../system/remotehosts/server/name";
            }
          }
        }
        output {
          leaf backup-filename {
            type string;
          }
        }
      }

This is the corresponding NETCONF request:

<action xmlns="urn:ietf:params:xml:ns:yang:1">
  <system xmlns="<NAMESPACE>">
    <backups>
      <create>
        <local/>
      </create>
    </backups>
  </system>
</action>

This is the corresponding notification when the action is called:

{'_notif': _confd.events.Notification(type=CONFD_NOTIF_NETCONF (2048)),
 'syslog': {'logno': 86,
            'msg': 'id=9043 action name={\'<NAMESPACE>\'}create instance-identifier=/system:system/system:backups, attrs: message-id="2"',
            'prio': 6},
 'type': 2048}

I don’t see the local or remote input parameters passed for the action in the content of the notification. Is there any way I can get this information as well? Thanks in advance!