Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
25
Helpful
6
Replies

Hiding data from output when we run commands on a device

abhkaul
Cisco Employee
Cisco Employee

‎08-08-2022 11:35 PM

Hi Team, 

Is there a way to hide/mask sensitive data that we might get after running some commands on the device via NSO? 

For example, if we run show running-config on a device via NSO and we want to mask the passwords. I think there is a way to do that on the device level using the encryption service or the enable secret command, but I wanted to check if there is a way to achieve that using NSO. 

Thanks in advance!

0 Helpful
6 Replies 6

Nabsch
Spotlight
Spotlight

‎08-09-2022 12:20 AM

Hello,

Yes there is a way  to hide from CLI using some annotation in the yang file but you still can get the data using Java/Python.

 

 

vleijon
Cisco Employee
Cisco Employee
In response to Nabsch

‎08-09-2022 05:55 AM

Yes, look into the tailf:hidden annotation.

Nabsch
Spotlight
Spotlight

‎08-09-2022 03:16 AM

You can do something like this

 

        leaf regex {
          tailf:hidden all;
          type string;
        }

You can find more detail here. 

tailf:hidden tag

This statement can be used to hide a node from some, or all, northbound interfaces. All nodes with the
same value are considered a hide group and are treated the same with regards to being visible or not in a
northbound interface.

 

The hidden statement can be used in: leaf, leaf-list, list, container, tailf:action, refine, rpc, and action.

hniska
Cisco Employee
Cisco Employee

‎08-10-2022 01:08 AM

Not sure if it is me that misunderstand your question or if its the other guys that answered :).

My take is that you dont want users in NSO to be able to see certain values in data showing up in the devices/device tree? 

If that is the case you dont really get any help from tailf:hidden as you dont want to change the NED:s YANG files. The way you want to do it is prohibiting read to certain parts if the tree with NACM https://developer.cisco.com/docs/nso/guides/#!nso-5-6-administration-guide-the-aaa-infrastructure

abhkaul
Cisco Employee
Cisco Employee

‎08-10-2022 07:10 AM

Thanks for the suggestions, everyone. I'll give these a try and see which one suits my use case the best. 

0 Helpful

u.avsec
Spotlight
Spotlight

‎08-11-2022 12:26 AM

I'm guessing this might help you?

https://community.cisco.com/t5/nso-developer-hub-blogs/securing-your-secrets-with-the-cli-neds/ba-p/4473467

Auto-encrypting passwords in NSO section in particular

Customers Also Viewed These Support Documents