ConfD User Community

Netconf rpc "close-session" still can be executed when NACM rule defined to deny

Hi tailf supports:
I have a question about the NACM rule. I have defined a deny rule for a group, but seems the rule does not take effect.
The following rule is defined for the group system-security-admin:

 rule ietf-netconf-3-system-security-admin-close-session
  module-name       *
  rpc-name          close-session
  access-operations exec
  action            deny
  context           netconf

But the netconf rpc “close-session” is not denied:

<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<close-session/>
</rpc>]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"><ok/></rpc-reply>]]>]]>

Here is the log of ConfD for hello command:

audit user: luser2/110 assigned to groups: system-security-admin
audit user: luser2/110 created new session via netconf from 192.168.163.125:41532 with ssh

Here is the log of ConfD for close-session:

audit user: luser2/163 terminated session (reason: normal)
devel-c close_usess db request daemon id: 2
devel-c db reply daemon id: 2

Would you please help analyze this issue? What else configuration is related?
BRs
Michael

Hi again,
I can reproduce this issue by running example dp/find_next.
The rule-list in dp/find_next/confd-cdb/aaa_init.xml:

<rule-list>
  <name>admin</name>
  <group>admin</group>
  <rule>
    <name>any-access</name>
    <action>deny</action>
  </rule>
</rule-list>
<rule-list>
  <name>any-group</name>
  <group>*</group>
  <rule>
    <name>any-access</name>
    <action>deny</action>
  </rule>
</rule-list>

I ran command “netconf-console cmd-get-all.xml”. The xml file is as below:

<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <capabilities>
    <capability>urn:ietf:params:netconf:base:1.0</capability>
  </capabilities>
</hello>
]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <get/>
</rpc>
]]>]]>
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <close-session/>
</rpc>

Here is the netconf log:

<INFO> 5-Jul-2022::16:19:01.393 CN-00006605 confd[2484]: netconf id=14 new ssh session for user "admin" from 127.0.0.1
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 got rpc: {urn:ietf:params:xml:ns:netconf:base:1.0}get attrs: message-id="1"
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 access-denied
<INFO> 5-Jul-2022::16:19:01.417 CN-00006605 confd[2484]: netconf id=14 sending rpc-reply, attrs: message-id="1"
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: netconf id=14 close-session attrs: message-id="2"
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: netconf id=14 sending rpc-reply, attrs: message-id="2"

Here is the audit log:

<INFO> 5-Jul-2022::16:19:01.367 CN-00006605 confd[2484]: audit user: admin/0 local authentication succeeded via netconf from 127.0.0.1:36408 with ssh, member of groups: admin
<INFO> 5-Jul-2022::16:19:01.367 CN-00006605 confd[2484]: audit user: admin/0 logged in via netconf from 127.0.0.1:36408 with ssh using local authentication
<INFO> 5-Jul-2022::16:19:01.392 CN-00006605 confd[2484]: audit user: admin/14 assigned to groups: admin
<INFO> 5-Jul-2022::16:19:01.392 CN-00006605 confd[2484]: audit user: admin/14 created new session via netconf from 127.0.0.1:36408 with ssh
<INFO> 5-Jul-2022::16:19:01.426 CN-00006605 confd[2484]: audit user: admin/14 terminated session (reason: normal)
<INFO> 5-Jul-2022::16:19:06.455 CN-00006605 confd[2484]: audit user: admin/0 logged out <local> user

You can see the rpc “close-session” is permitted.
BRs
Michael

See RFC 8341 - Network Configuration Access Control Model

  1. If the requested operation is the NETCONF <close-session>
    protocol operation, then the protocol operation is permitted.
1 Like