-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[YANG] Add support for Password Hardening #10322
Changes from 15 commits
d6e62e8
f844b43
0d143f1
a8cfb45
7f6b284
b0a6f5c
7b42206
9a68dd1
90ed1ad
a978ef1
5e17f03
6d222f7
69190ef
b2404e1
668d7ea
72f4446
3ad5476
4d3cf3b
a6f7227
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"PASSWORD_TABLE": { | ||
"desc": "Configure policer with all default fields." | ||
}, | ||
"PASSWORD_ENABLE_FEATURE_WITH_POLICIES": { | ||
"desc": "Configure password policies and enabled feature." | ||
}, | ||
"PASSWORD_BAD_ENABLE_FEATURE": { | ||
"desc": "Configure password policies enabled feature with a wrong value.", | ||
"eStrKey" : "InvalidValue" | ||
}, | ||
"PASSWORD_BAD_DIGIT": { | ||
"desc": "Configure password Digit Class policy with invalid value", | ||
"eStrKey" : "InvalidValue" | ||
}, | ||
"PASSWORD_BAD_HISTORY_CNT": { | ||
"desc": "Configure password history_cnt with out of range value", | ||
"eStrKey" : "InvalidValue" | ||
}, | ||
"PASSWORD_BAD_LEN_MIN": { | ||
"desc": "Configure password len-min with out of range value", | ||
"eStrKey" : "Pattern" | ||
}, | ||
"PASSWORD_BAD_EXPIRATION": { | ||
"desc": "Configure password expiration with out of range value", | ||
"eStrKey" : "Pattern" | ||
}, | ||
"PASSWORD_BAD_EXPIRATION_WARN": { | ||
"desc": "Configure password expiration-warning with out of range value", | ||
"eStrKey" : "Pattern" | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
{ | ||
"PASSWORD_TABLE": { | ||
"sonic-passwh:sonic-passwh": { | ||
"sonic-passwh:PASSW_HARDENING": { | ||
"POLICIES":{ | ||
"state": "disabled", | ||
"expiration": "180", | ||
"expiration_warning": "15", | ||
"history_cnt": "10", | ||
"len_min": "8", | ||
"reject_user_passw_match": true, | ||
"lower_class": true, | ||
"upper_class": true, | ||
"digits_class": true, | ||
"special_class": true | ||
} | ||
} | ||
} | ||
}, | ||
"PASSWORD_ENABLE_FEATURE_WITH_POLICIES": { | ||
"sonic-passwh:sonic-passwh": { | ||
"sonic-passwh:PASSW_HARDENING": { | ||
"POLICIES":{ | ||
"state": "enabled", | ||
"expiration": "180", | ||
"expiration_warning": "15", | ||
"history_cnt": "10", | ||
"len_min": "8", | ||
"reject_user_passw_match": true, | ||
"lower_class": true, | ||
"upper_class": true, | ||
"digits_class": true, | ||
"special_class": true | ||
} | ||
} | ||
} | ||
}, | ||
"PASSWORD_BAD_ENABLE_FEATURE": { | ||
"sonic-passwh:sonic-passwh": { | ||
"sonic-passwh:PASSW_HARDENING": { | ||
"POLICIES":{ | ||
"state": "33", | ||
"expiration": "180", | ||
"expiration_warning": "15", | ||
"history_cnt": "10", | ||
"len_min": "8", | ||
"reject_user_passw_match": true, | ||
"lower_class": true, | ||
"upper_class": true, | ||
"digits_class": true, | ||
"special_class": true | ||
} | ||
} | ||
} | ||
}, | ||
"PASSWORD_BAD_DIGIT": { | ||
"sonic-passwh:sonic-passwh": { | ||
"sonic-passwh:PASSW_HARDENING": { | ||
"POLICIES":{ | ||
"state": "disabled", | ||
"expiration": "180", | ||
"expiration_warning": "15", | ||
"history_cnt": "10", | ||
"len_min": "8", | ||
"reject_user_passw_match": true, | ||
"lower_class": true, | ||
"upper_class": true, | ||
"digits_class": "1", | ||
"special_class": true | ||
} | ||
} | ||
} | ||
}, | ||
"PASSWORD_BAD_HISTORY_CNT": { | ||
"sonic-passwh:sonic-passwh": { | ||
"sonic-passwh:PASSW_HARDENING": { | ||
"POLICIES":{ | ||
"state": "enabled", | ||
"expiration": "180", | ||
"expiration_warning": "15", | ||
"history_cnt": "300", | ||
"len_min": "8", | ||
"reject_user_passw_match": true, | ||
"lower_class": true, | ||
"upper_class": true, | ||
"digits_class": true, | ||
"special_class": true | ||
} | ||
} | ||
} | ||
}, | ||
"PASSWORD_BAD_LEN_MIN": { | ||
"sonic-passwh:sonic-passwh": { | ||
"sonic-passwh:PASSW_HARDENING": { | ||
"POLICIES":{ | ||
"state": "enabled", | ||
"expiration": "180", | ||
"expiration_warning": "15", | ||
"history_cnt": "50", | ||
"len_min": "50", | ||
"reject_user_passw_match": true, | ||
"lower_class": true, | ||
"upper_class": true, | ||
"digits_class": true, | ||
"special_class": true | ||
} | ||
} | ||
} | ||
}, | ||
"PASSWORD_BAD_EXPIRATION": { | ||
"sonic-passwh:sonic-passwh": { | ||
"sonic-passwh:PASSW_HARDENING": { | ||
"POLICIES":{ | ||
"state": "enabled", | ||
"expiration": "400", | ||
"expiration_warning": "15", | ||
"history_cnt": "50", | ||
"len_min": "8", | ||
"reject_user_passw_match": true, | ||
"lower_class": true, | ||
"upper_class": true, | ||
"digits_class": true, | ||
"special_class": true | ||
} | ||
} | ||
} | ||
}, | ||
"PASSWORD_BAD_EXPIRATION_WARN": { | ||
"sonic-passwh:sonic-passwh": { | ||
"sonic-passwh:PASSW_HARDENING": { | ||
"POLICIES":{ | ||
"state": "enabled", | ||
"expiration": "180", | ||
"expiration_warning": "40", | ||
"history_cnt": "10", | ||
"len_min": "8", | ||
"reject_user_passw_match": true, | ||
"lower_class": true, | ||
"upper_class": true, | ||
"digits_class": true, | ||
"special_class": true | ||
} | ||
} | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
module sonic-passwh { | ||
yang-version 1.1; | ||
namespace "https://github.com/Azure/sonic-passwh"; | ||
prefix password; | ||
|
||
description "PASSWORD HARDENING YANG Module for SONiC OS"; | ||
|
||
revision 2021-10-12 { | ||
description "First Revision"; | ||
} | ||
|
||
container sonic-passwh { | ||
|
||
typedef feature_state { | ||
type enumeration { | ||
enum enabled; | ||
enum disabled; | ||
} | ||
} | ||
|
||
container PASSW_HARDENING { | ||
description "PASSWORD HARDENING part of config_db.json"; | ||
container POLICIES { | ||
leaf state { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The feature will set to disable by default, so maybe add default values to yang model? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @dgsudharsan I removed the default because I understand from you that it is not necessary anymore, There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @liuh-80 In the yang subgroup meeting it is decided not to have default in yang model but rather handle it in application. The reason is having default will push it to config_db and currently there is no way to differentiate between user configuration from default configuration. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Have the same concern. We should add default value (disable) into yang model. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done |
||
description "state of the feature"; | ||
type feature_state; | ||
} | ||
leaf expiration { | ||
description "expiration time (days unit)"; | ||
type uint16 { | ||
range 1..365; | ||
} | ||
} | ||
leaf expiration_warning { | ||
description "expiration warning time (days unit)"; | ||
type uint8 { | ||
range 1..30; | ||
} | ||
} | ||
leaf history_cnt { | ||
description "num of old password that the system will recorded"; | ||
type uint8 { | ||
range 1..100; | ||
} | ||
} | ||
leaf len_min { | ||
description "password min length"; | ||
type uint8 { | ||
range 1..32; | ||
} | ||
} | ||
leaf reject_user_passw_match{ | ||
description "username password match"; | ||
type boolean; | ||
} | ||
leaf lower_class{ | ||
description "password lower chars policy"; | ||
type boolean; | ||
} | ||
leaf upper_class{ | ||
description "password upper chars policy"; | ||
type boolean; | ||
} | ||
leaf digits_class{ | ||
description "password digits chars policy"; | ||
type boolean; | ||
} | ||
leaf special_class{ | ||
description "password special chars policy"; | ||
type boolean; | ||
} | ||
}/*container policies */ | ||
} /* container PASSWH */ | ||
}/* container sonic-passwh */ | ||
}/* end of module sonic-passwh */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix the revision date
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done