This module contains definitions for managment of security feature defaults used for user account provisioning as well as system...
Version: 2018-07-18
module fujitsu-user-security { yang-version 1; namespace "urn:fujitsu:params:xml:ns:yang:usersecurity"; prefix secu; import fujitsu-user-security-typedefs { prefix usersecu-type; } import tailf-aaa { prefix taa; } organization "Fujitsu Ltd."; contact "Fujitsu Ltd. Address: 2801 Telecom Parkway Richardson, Texas 75082 Tel: +1-800-USE-FTAC (1-800-873-3822) Email: ftac@fnc.fujitsu.com Web: www.fujitsu.com/us/services/telecom"; description "This module contains definitions for managment of security feature defaults used for user account provisioning as well as system wide security feature settings. Copyright (c) 2015 Fujitsu Ltd. All rights reserved. "; revision "2018-07-18" { description "Deprecated unused security params"; } revision "2017-12-22" { description "Crypt password type modified"; } revision "2017-11-06" { description "Modifies the descriptions for level-2 and level-3 Users"; } revision "2017-10-13" { description "Added missing help strings for Systemwide Security elements"; } revision "2017-09-27" { description "deprecated all unused read-write elements from security yang and removed all invisible and read-only unused elements"; } revision "2017-07-05" { description "Security Yang performance improvement"; } revision "2017-06-08" { description "Added description for Authentication order"; } revision "2017-06-06" { description "Moved authentication-order precondition from data model"; } revision "2017-05-26" { description "Added support for configuring Accounting Order"; } revision "2017-05-05" { description "updated must statement and min-elements under authentication-order to support tacacs or radius only cases"; } revision "2017-03-29" { description "cli preformat support removed for pre-login-banner and post-login-banner"; } revision "2017-03-20" { description "Validation check for authentication order"; } revision "2016-11-21" { description "Updated for configurable banner support"; } revision "2016-11-04" { description "Modified the type to password-type for each leaf of rpc change-password"; } revision "2015-09-30"; container security { description "Security related Configurations"; container defaults { status deprecated; leaf uage { type usersecu-type:uage-type; mandatory true; status deprecated; description "(Deprecated) Use 'set security systemwide username-minimum-length <>' instead"; } leaf page { type usersecu-type:page-type; mandatory true; status deprecated; description "(Deprecated) Use 'set security systemwide password-minimum-length <>' instead"; } leaf minit { type usersecu-type:minit-type; mandatory true; status deprecated; } leaf reauth { type usersecu-type:reauth-type; mandatory true; status deprecated; } leaf idle-timeout { type uint64 { range "0 .. 8192"; } mandatory true; status deprecated; } } // container defaults container systemwide { leaf-list authentication-order { type usersecu-type:authentication-type; min-elements 1; max-elements 3; ordered-by user; description "AAA authentication order defines the destination hierarchy for authentication and authorization"; } leaf-list accounting-order { type usersecu-type:accounting-type; max-elements 2; ordered-by user; description "AAA accounting order defines the destination hierarchy for accounting audit logging"; } leaf username-minimum-length { type usersecu-type:umin-type; description "Minimum Username length"; } leaf password-minimum-length { type usersecu-type:pmin-type; description "Minimum Password length"; } leaf password-mode { type usersecu-type:pcontent-type; description "Determines the allowed password content - BASIC or ENHANCED"; } leaf pre-login-banner { type string { length "0..1600"; } default "Welcome to the FUJITSU 1FINITY Copyright Fujitsu Network Communications"; description "Pre-login banner that is to be displayed before user enters the login details"; } leaf post-login-banner { type string { length "0..1600"; } default "NOTICE: THIS IS A PRIVATE COMPUTER SYSTEM. UNAUTHORIZED ACCESS OR USE MAY LEAD TO PROSECUTION."; description "Post-login banner that is to be displayed after successful login"; } leaf uage { type usersecu-type:uage-type; default "OFF"; status deprecated; description "(Deprecated) Systemwide user account aging"; } leaf umin { type usersecu-type:umin-type; status deprecated; description "(Deprecated) Use 'set security systemwide username-minimum-length <>' instead"; } leaf pmin { type usersecu-type:pmin-type; status deprecated; description "(Deprecated) Use 'set security systemwide password-minimum-length <>' instead"; } leaf pcontent { type usersecu-type:pcontent-type; status deprecated; description "(Deprecated) Use 'set security systemwide password-mode <>' instead"; } leaf prot { type usersecu-type:prot-type; status deprecated; description "(Deprecated) Password Rotation"; } leaf smt { type usersecu-type:smt-type; status deprecated; description "(Deprecated) Provides permission to have multiple sessions"; } leaf dural { type usersecu-type:dural-type; status deprecated; description "(Deprecated) Duration of account lockout after maximum number of unsuccessful user login attempts"; } leaf maxinv { type usersecu-type:maxinv-type; status deprecated; description "(Deprecated) Maximum number of unsuccessful user login attempts before account gets locked out"; } leaf lastlogin { type usersecu-type:lastlogin-type; status deprecated; description "(Deprecated) Timestamp of the last login and number of login failures since last successful login"; } leaf warn { type usersecu-type:warn-type; status deprecated; description "(Deprecated) Set warning message"; } leaf debug { type usersecu-type:yORn-type; status deprecated; description "(Deprecated) Enable Debugging level Message"; } } // container systemwide list certificates { key "certificate-id"; max-elements 20; description "A list of certificates for this system."; leaf certificate-id { type certificate-id-type; } leaf file-path { type string; mandatory true; description "The complete path to the .pem formatted certificate"; } leaf information { type string; config false; description "information about the <cert-id>"; } } // list certificates list ca-profile { key "ca-name"; max-elements 20; description "A list of certificate authority profiles for this system."; leaf ca-name { type ca-name-type; } leaf ca-certificate-id { type leafref { path "/secu:security/secuCert:ca-profile/ca-name"; } mandatory true; description "<ca-certificate-id> should be same as ca-name."; } leaf file-path { type string; mandatory true; description "The complete path to the .crt formatted certificate"; } leaf information { type string; config false; description "information about the <ca-cert-id>"; } } // list ca-profile container system-generated-certificate { leaf information { type string; config false; description "information about the system-generated-certificate"; } } // container system-generated-certificate container radius { if-feature radius; description "Configuration of the RADIUS client."; container authentication { list auth-server { key "auth-server-name"; max-elements 5; description "List of RADIUS servers used by the device. When the RADIUS client is invoked by a calling application, it sends the query to the first server in this list. If no response has been received within 'timeout' seconds, the client continues with the next server in the list. If no response is received from any server, the client continues with the first server again. When the client has traversed the list 'attempts' times without receiving any response, it gives up and returns an error to the calling application."; leaf auth-server-name { type string { length "1..64"; } description "An arbitrary name for the RADIUS server."; } choice transport { mandatory true; description "The transport-protocol-specific parameters for this server."; container udp { description "Contains UDP-specific configuration parameters for RADIUS."; leaf auth-address { type inet:ip-address; mandatory true; description "The address of the RADIUS server."; } leaf auth-port { type uint16 { range "1..65535"; } default "1812"; description "The port number of the RADIUS server."; } leaf auth-shared-secret { type string; mandatory true; description "The shared secret, which is known to both the RADIUS client and server. This shouldn't be in clear text"; reference "RFC 2865: Remote Authentication Dial In User Service (RADIUS)"; } leaf auth-timeout { type uint8 { range "1..30"; } units "seconds"; default "5"; description "The number of seconds the device will wait for a response from each RADIUS server before trying with a different server."; } } // container udp } // choice transport leaf authentication-type { type identityref { base radius-authentication-type; } default "radius-pap"; description "The authentication type requested from the RADIUS server."; } } // list auth-server leaf auth-server-attempts { type uint8 { range "1..5"; } default "2"; description "The number of times the device will send a query to all of its RADIUS servers before giving up."; } leaf-list auth-server-priority { type leafref { path "/secu:security/radius-client:radius/radius-client:authentication/radius-client:auth-server/radius-client:auth-server-name"; } ordered-by user; description "The order of servers the device will attempt authentication."; } } // container authentication container accounting { list acct-server { key "acct-server-name"; max-elements 5; description "List of RADIUS servers used by the device. When the RADIUS client is invoked by a calling application, it sends the query to the first server in this list. If no response has been received within 'timeout' seconds, the client continues with the next server in the list. If no response is received from any server, the client continues with the first server again. When the client has traversed the list 'attempts' times without receiving any response, it gives up and returns an error to the calling application."; leaf acct-server-name { type string { length "1..64"; } description "An arbitrary name for the RADIUS server."; } choice transport { mandatory true; description "The transport-protocol-specific parameters for this server."; container udp { description "Contains UDP-specific configuration parameters for RADIUS."; leaf acct-address { type inet:ip-address; mandatory true; description "The address of the RADIUS server."; } leaf acct-port { type uint16 { range "1..65535"; } default "1813"; description "The port number of the RADIUS server."; } leaf acct-shared-secret { type string; mandatory true; description "The shared secret, which is known to both the RADIUS client and server. This shouldn't be in clear text"; reference "RFC 2865: Remote Authentication Dial In User Service (RADIUS)"; } leaf acct-timeout { type uint8 { range "1..30"; } units "seconds"; default "5"; description "The number of seconds the device will wait for a response from each RADIUS server before trying with a different server."; } } // container udp } // choice transport } // list acct-server leaf acct-server-attempts { type uint8 { range "1..5"; } default "2"; description "The number of times the device will send a query to all of its RADIUS servers before giving up."; } leaf-list acct-server-priority { type leafref { path "/secu:security/radius-client:radius/radius-client:accounting/radius-client:acct-server/radius-client:acct-server-name"; } ordered-by user; description "The order of servers the device will attempt to send accounting information."; } } // container accounting } // container radius } // container security list usergrp { key "group"; description "User group related configurations"; leaf group { type usersecu-type:group-type; } leaf gid { type int32; } } // list usergrp list usersec { key "username"; status deprecated; description "User security related configurations"; leaf username { type usersecu-type:username-type; must "/secu:users/secu:user[secu:username=current()]/secu:username = current()" { error-message "Entered username must already be provisioned in users."; } status deprecated; } leaf uage { type usersecu-type:uage-type; status deprecated; } leaf page { type usersecu-type:page-type; status deprecated; } leaf pidout { when "../page != 'OFF'"; type int32; config false; status deprecated; } leaf minit { type usersecu-type:minit-type; status deprecated; } leaf reauth { type usersecu-type:reauth-type; status deprecated; } leaf idle-timeout { type int32; status deprecated; } } // list usersec container users { must "boolean(/secu:users/secu:user[(secu:group='level-4') and (secu:adminState='allow')] ) or (/secu:users/secu:user[(secu:group='level-6') and (secu:adminState='allow')])" { error-message "Atleast one Level-4 or Level-6 user with allow admin state must be present"; } description "Users related configurations"; list user { key "username"; max-elements 100; leaf username { type usersecu-type:username-type; mandatory true; } leaf crypt-password { type usersecu-type:crypt-password-type; } leaf password { type usersecu-type:password-type; } leaf group { type usersecu-type:group-type; must "/secu:usergrp[secu:group=current()]/secu:group = current()" { error-message "entered group must be level-1, level-2..., or level-6"; } mandatory true; } leaf adminState { type usersecu-type:adminState-type; default "allow"; } } // list user } // container users rpc change-password { description "RPC to change the logged in user's password"; input { leaf currentPassword { type usersecu-type:password-type; mandatory true; description "provide the current password"; } leaf newPassword { type usersecu-type:password-type; mandatory true; description "provide a new password"; } leaf newPasswordConfirm { type usersecu-type:password-type; mandatory true; description "re-enter the new password "; } } output { leaf status { type enumeration { enum "Successful" { value 1; } enum "Failed" { value 2; } } mandatory true; description "Successful or Failed"; } leaf status-message { type string; description "Gives a more detailed reason for success / failure"; } } } // rpc change-password } // module fujitsu-user-security
© 2023 YumaWorks, Inc. All rights reserved.