From da688ecdde70f7325954e5c9a109cb0ff85eeff0 Mon Sep 17 00:00:00 2001
From: Lou Berger <lberger@labn.net>
Date: Tue, 17 May 2016 12:19:51 -0400
Subject: [PATCH] lib: change command logging to be off by default, and add
 'log_commands' to enable it.

---
 doc/basic.texi |  7 +++++++
 lib/vty.c      | 25 +++++++++++++++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/doc/basic.texi b/doc/basic.texi
index 0f7bec9c2e..4485665afa 100644
--- a/doc/basic.texi
+++ b/doc/basic.texi
@@ -185,6 +185,13 @@ In this example, the precision is set to provide timestamps with
 millisecond accuracy.
 @end deffn
 
+@deffn Command {log commands} {}
+This command enables the logging of all commands typed by a user to
+all enabled log destinations.  The note that logging includes full
+command lines, including passwords.  Once set, command logging can only
+be turned off by restarting the daemon.
+@end deffn  
+
 @deffn Command {service password-encryption} {}
 Encrypt password.
 @end deffn
diff --git a/lib/vty.c b/lib/vty.c
index 68bf814ffd..7b39274ad2 100644
--- a/lib/vty.c
+++ b/lib/vty.c
@@ -90,6 +90,7 @@ static u_char restricted_mode = 0;
 /* Integrated configuration file path */
 char integrate_default[] = SYSCONFDIR INTEGRATE_DEFAULT_CONFIG;
 
+static int do_log_commands = 0;
 
 /* VTY standard output function. */
 int
@@ -402,12 +403,13 @@ vty_command (struct vty *vty, char *buf)
   int ret;
   vector vline;
   const char *protocolname;
-  char *cp;
+  char *cp = NULL;
 
   /*
    * Log non empty command lines
    */
-  cp = buf;
+  if (do_log_commands)
+    cp = buf;
   if (cp != NULL)
     {
       /* Skip white spaces. */
@@ -435,7 +437,7 @@ vty_command (struct vty *vty, char *buf)
       snprintf(prompt_str, sizeof(prompt_str), cmd_prompt (vty->node), vty_str);
 
       /* now log the command */
-      zlog(NULL, LOG_NOTICE, "%s%s", prompt_str, buf);
+      zlog(NULL, LOG_ERR, "%s%s", prompt_str, buf);
     }
   /* Split readline string up into the vector */
   vline = cmd_make_strvec (buf);
@@ -2957,6 +2959,17 @@ DEFUN (show_history,
   return CMD_SUCCESS;
 }
 
+/* vty login. */
+DEFUN (log_commands,
+       log_commands_cmd,
+       "log commands",
+       "Logging control\n"
+       "Log all commands (can't be unset without restart)\n")
+{
+  do_log_commands = 1;
+  return CMD_SUCCESS;
+}
+
 /* Display current configuration. */
 static int
 vty_config_write (struct vty *vty)
@@ -2988,7 +3001,10 @@ vty_config_write (struct vty *vty)
       else
         vty_out (vty, " anonymous restricted%s", VTY_NEWLINE);
     }
-  
+
+  if (do_log_commands)
+    vty_out (vty, "log commands%s", VTY_NEWLINE);
+    
   vty_out (vty, "!%s", VTY_NEWLINE);
 
   return CMD_SUCCESS;
@@ -3123,6 +3139,7 @@ vty_init (struct thread_master *master_thread)
   install_element (CONFIG_NODE, &service_advanced_vty_cmd);
   install_element (CONFIG_NODE, &no_service_advanced_vty_cmd);
   install_element (CONFIG_NODE, &show_history_cmd);
+  install_element (CONFIG_NODE, &log_commands_cmd);
   install_element (ENABLE_NODE, &terminal_monitor_cmd);
   install_element (ENABLE_NODE, &terminal_no_monitor_cmd);
   install_element (ENABLE_NODE, &no_terminal_monitor_cmd);
-- 
2.39.5