Restricting history while in a klish view

[David Balme]

Hello 

I have a question about how to restrict entries getting into klish history.

I'm trying to find a solution without having to modify the klish source itself or without building a plugin.

My situation..

In our app we have a specific klish admin view that contains some sensitive security related commands.  We do not want to leave any traces around that these commands were issued.  This means we do not want these commands to show up in klish history.  Ideally the commands do not show up in the current klish session and definitely should not show up in the klish history file  (~/.clish_history).

When we run klish, it's always called from a bash script that sets up the required environment.

I tried two approaches to solve this.. One approach that is too weak and the other that is too strong.  

Approach 1 ( too weak):

In this solution I did not try to keep sensitive commands from entering current in-memory session history.

When the user logs out of the CLI session I see that klish copies session history data to the file .clish_history .

So in the bash script that calls klish I simply clean out the history file of sensitive commands upon exit of klish.

This does not fully satisfy the original requirements and it's also very weak.  Does not handle crashes or users who know how to circumvent this.

Approach 2 - removes all of history .. oops!

Here is what my view looks like

<VIEW 

      name="myrestricted-view"

      prompt="admin> " >

     

     .. then here I define a bunch of command definitions that I don't want recorded in history 

     

      <COMMAND 

           name="exit"

           help="exit from admin-mode"

           view="root-view">

         <ACTION builtin="clish_history">1</ACTION>

      </COMMAND>

</VIEW>

In this approach when exiting the "myrestricted-view" view via the exit command .. it basically blows away all history.. from the session ... oops!! Secondly when I exit the CLI session altogether, the permanent history in .cli_history is also removed.. Double-oops! :)

As you can see, both approaches don't work.

Is there a better way to do this via configuration?   Or would I need to modify the history handling within the klish source code?

Cheers and thanks for your time,

David Balme

[Serj Kalichev]

Hello.

You need to modify klish sources.

Only ugly solvation is to return not-null return code from ACTION. Probably "failed" commands will not get into the history. But I don't recommend to do so.

04.12.2020 21:05, David Balme пишет:

--
You received this message because you are subscribed to the Google Groups "klish-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to klish-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/klish-dev/CAFhJ4hzYx%3DOHX_ingiAi1mVdQ-3fsVgh%2Bek5ghNeuMobks1UuA%40mail.gmail.com.

[David Balme]

OK thanks..

That is what I was guessing would have to happen!  :)

Cheers and thanks for the quick response!

David

To view this discussion on the web visit https://groups.google.com/d/msgid/klish-dev/e43ebe73-0614-de64-61ce-95258971c70c%40gmail.com.