Hi tailf supports:
I have a question about the NACM rule. I have defined a deny rule for a group, but seems the rule does not take effect.
The following rule is defined for the group system-security-admin:
rule ietf-netconf-3-system-security-admin-close-session
module-name *
rpc-name close-session
access-operations exec
action deny
context netconf
But the netconf rpc “close-session” is not denied:
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<close-session/>
</rpc>]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"><ok/></rpc-reply>]]>]]>
Here is the log of ConfD for hello command:
audit user: luser2/110 assigned to groups: system-security-admin
audit user: luser2/110 created new session via netconf from 192.168.163.125:41532 with ssh
Here is the log of ConfD for close-session:
audit user: luser2/163 terminated session (reason: normal)
devel-c close_usess db request daemon id: 2
devel-c db reply daemon id: 2
Would you please help analyze this issue? What else configuration is related?
BRs
Michael
Hi again,
I can reproduce this issue by running example dp/find_next.
The rule-list in dp/find_next/confd-cdb/aaa_init.xml:
<rule-list>
<name>admin</name>
<group>admin</group>
<rule>
<name>any-access</name>
<action>deny</action>
</rule>
</rule-list>
<rule-list>
<name>any-group</name>
<group>*</group>
<rule>
<name>any-access</name>
<action>deny</action>
</rule>
</rule-list>
I ran command “netconf-console cmd-get-all.xml”. The xml file is as below:
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
</capabilities>
</hello>
]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<get/>
</rpc>
]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
<close-session/>
</rpc>
Here is the netconf log:
<INFO> 5-Jul-2022::16:19:01.393 CN-00006605 confd[2484]: netconf id=14 new ssh session for user "admin" from 127.0.0.1
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 got rpc: {urn:ietf:params:xml:ns:netconf:base:1.0}get attrs: message-id="1"
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 access-denied
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 sending rpc-reply, attrs: message-id="1"
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: netconf id=14 close-session attrs: message-id="2"
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: netconf id=14 sending rpc-reply, attrs: message-id="2"
Here is the audit log:
<INFO> 5-Jul-2022::16:19:01.367 CN-00006605 confd[2484]: audit user: admin/0 local authentication succeeded via netconf from 127.0.0.1:36408 with ssh, member of groups: admin
<INFO> 5-Jul-2022::16:19:01.367 CN-00006605 confd[2484]: audit user: admin/0 logged in via netconf from 127.0.0.1:36408 with ssh using local authentication
<INFO> 5-Jul-2022::16:19:01.392 CN-00006605 confd[2484]: audit user: admin/14 assigned to groups: admin
<INFO> 5-Jul-2022::16:19:01.392 CN-00006605 confd[2484]: audit user: admin/14 created new session via netconf from 127.0.0.1:36408 with ssh
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: audit user: admin/14 terminated session (reason: normal)
<INFO> 5-Jul-2022::16:19:06.455 CN-00006605 confd[2484]: audit user: admin/0 logged out <local> user
You can see the rpc “close-session” is permitted.
BRs
Michael
See RFC 8341 - Network Configuration Access Control Model
- If the requested operation is the NETCONF
<close-session>
protocol operation, then the protocol operation is permitted.
1 Like