Tailf:suppress-echo connundrum

mghosh · January 12, 2023, 11:53am

I have annotated one leaf with ‘tailf:suppress-echo true;’

With this I have this issues:

When I try to provide the value in-line, the value gets printed in plaintext in CLI, but logged with *** in audit log

(config-radius-server-1)# secret hhhh

: CLI 'secret ****'

To hide plaintext in CLI, I have to press return key after leaf name, and then input needs to be given

(config-radius-server-1)# secret
(<String of length 8-16 >): ******

But now it is logged in plaintext in audit log

 : CLI 'secret \"secret\\000\"'

How can we have both?

mvf · January 13, 2023, 5:17pm

ConfD suppresses the echo only if it prompts for a value, so the behavior in the first part is correct. And it indeed should hide the value from audit log, so the beavior in the second part is not correct.
Do you have some customizations in your audit logging, such as through the ConfD event notifications? The line from the audit log looks strange:

If you enter the leaf path and its value in two separate lines, ConfD (normally) logs the two in two separate log lines, not in one; maybe the line was generated for another command?
The value looks strange, was it indeed supposed to contain literal double quote, string "secret", backslash, string "000", double quote? This is the only (legal) value that would make it to the audit log as \"secret\\000\" - provided it is ConfD that generates the log.

mghosh · January 16, 2023, 1:41pm

Here are my various observations

The particular example I tried had tailf:typepoint enabled (to ensure secret is not displayed in plaintext in show running-config etc).
So to rule out any bad interaction with typepoint, I tried to apply the same with a raw string type variable. But there I run into a new issue.

when I try to enter data after prompt, corresponding entry is logged as

<INFO> 16-Jan-2023::18:50:16.913 aeon-ztps confd[27147]: audit user: admin/16 CLI 'my-password --ERROR--'
<INFO> 16-Jan-2023::18:50:16.913 aeon-ztps confd[27147]: audit user: admin/16 CLI done

with devel log pointing to

 devel-c /folder-user/my-password: expected type string, got list.

To rule out my setup issue, I tried to reproduce the same using one of confd examples.

So I took examples.confd/intro/6-c_config
Comment out mandatory true statement from hst.yang list host, to look like as follows

  container hosts {
    tailf:callpoint hcp;

    list host {
      key name;
      max-elements 64; 
      leaf name {
        type string;
      }   
      leaf domain {
        type string;
        //mandatory true;
      }   
      leaf defgw {
        type inet:ip-address;
        //mandatory true;
      }

Usual compilation (make clean all start in one window and make cli-cin another)

aeon-ztps(config)# hosts host mg
aeon-ztps(config-host-mg)# defgw 
(<IP address>): 1.1.1.1 
aeon-ztps(config-host-mg)# domain 
(<string>): dhdhdhdh
aeon-ztps(config-host-mg)# commit
Commit complete.

This prints following in audit log

<INFO> 16-Jan-2023::18:58:29.196 aeon-ztps confd[7939]: audit user: admin/13 assigned to groups: admin
<INFO> 16-Jan-2023::18:58:31.422 aeon-ztps confd[7939]: audit user: admin/13 CLI 'config'
<INFO> 16-Jan-2023::18:58:31.465 aeon-ztps confd[7939]: audit user: admin/13 CLI done
<INFO> 16-Jan-2023::18:58:37.906 aeon-ztps confd[7939]: audit user: admin/13 CLI 'hosts host mg' 
<INFO> 16-Jan-2023::18:58:37.924 aeon-ztps confd[7939]: audit user: admin/13 CLI done
<INFO> 16-Jan-2023::18:58:44.833 aeon-ztps confd[7939]: audit user: admin/13 CLI 'defgw'
<INFO> 16-Jan-2023::18:58:47.092 aeon-ztps confd[7939]: audit user: admin/13 CLI 'defgw --ERROR--'
<INFO> 16-Jan-2023::18:58:47.092 aeon-ztps confd[7939]: audit user: admin/13 CLI done
<INFO> 16-Jan-2023::18:58:49.001 aeon-ztps confd[7939]: audit user: admin/13 CLI 'domain'
<INFO> 16-Jan-2023::18:58:51.968 aeon-ztps confd[7939]: audit user: admin/13 CLI 'domain --ERROR--'
<INFO> 16-Jan-2023::18:58:51.969 aeon-ztps confd[7939]: audit user: admin/13 CLI done
<INFO> 16-Jan-2023::18:58:53.481 aeon-ztps confd[7939]: audit user: admin/13 CLI 'commit'
<INFO> 16-Jan-2023::18:58:53.568 aeon-ztps confd[7939]: audit user: admin/13 CLI done
<INFO> 16-Jan-2023::18:58:58.479 aeon-ztps confd[7939]: audit user: admin/13 CLI 'exit'

And following error in devel.log

<ERR> 16-Jan-2023::18:58:47.092 aeon-ztps confd[7939]: devel-c /hosts/host/defgw: expected type inetAddressIP, got list.
<ERR> 16-Jan-2023::18:58:51.968 aeon-ztps confd[7939]: devel-c /hosts/host/domain: expected type string, got list.

I was using confd-6.7.3 in above observations.
Next I tried to reproduce the same in confd-7.3 as well. In confd-7.3 the expected type error is not there. (So there must be some issues in older confd versions which were fixed later). However with confd-7.3 as well, my original issue persists.

tail -F audit.log &
make cli-c
aeon-ztps(config)# hosts host mg defgw 1.1.1.1
<INFO> 16-Jan-2023::19:12:32.287 aeon-ztps confd[5862]: audit user: admin/14 CLI 'hosts host mg defgw 1.1.1.1'
<INFO> 16-Jan-2023::19:12:32.290 aeon-ztps confd[5862]: audit user: admin/14 CLI done

aeon-ztps(config-host-mg)# domain 
<INFO> 16-Jan-2023::19:12:35.947 aeon-ztps confd[5862]: audit user: admin/14 CLI 'domain'
(<string>): **********
<INFO> 16-Jan-2023::19:12:40.801 aeon-ztps confd[5862]: audit user: admin/14 CLI 'testdomain'
<INFO> 16-Jan-2023::19:12:40.801 aeon-ztps confd[5862]: audit user: admin/14 CLI done


aeon-ztps(config-host-mg)# commit
<INFO> 16-Jan-2023::19:12:43.978 aeon-ztps confd[5862]: audit user: admin/14 CLI 'commit'
<INFO> 16-Jan-2023::19:12:44.032 aeon-ztps confd[5862]: audit user: admin/14 CLI done
Commit complete.


aeon-ztps(config-host-mg)# domain 
<INFO> 16-Jan-2023::19:12:46.964 aeon-ztps confd[5862]: audit user: admin/14 CLI 'domain'
(<string>): ***********
<INFO> 16-Jan-2023::19:12:52.123 aeon-ztps confd[5862]: audit user: admin/14 CLI 'newtestdome'
<INFO> 16-Jan-2023::19:12:52.125 aeon-ztps confd[5862]: audit user: admin/14 CLI done

mvf · January 16, 2023, 4:30pm

There was a bug that makes tailf:suppress-echo not to do what it should sometimes, apparently the combination with tailf:typepoint is an instance of this; fixed in later ConfD releases (I see it works fine in 7.3.6 and 7.5). I suppose the CHANGES entry you should look for is this:

cli: When CLI used its auto-wizard and started prompting for input, the
input value was not always logged in the audit-log. If it was logged, it
did not always suppress the value when it should. Now we assert values
are suppressed and identify where CLI was missing out on producing
audit-log entries.

(ENG-24509, RT:43273, PS-38389, CSCvv31098)

mghosh · January 17, 2023, 4:39am

Thanks for the information. I tried confd-7.7 and both the issues are fixed there.

Just for completeness, is there any tailf: clause which we can use to force confd to take input in prompt mode.

mvf · January 17, 2023, 7:10pm

No, I am not aware of any such extension. If really needed, you can “override” the leaf by a CLI C-API command of the same name whose implementation uses maapi_cli_prompt* to read the value and modifies the leaf - you can control whether the value is echoed back, and it does not appear in the audit.log file.