Rancid-Fortigate:Filter cycling RSA private keys and Cycling password encryption
USE THE FOLLOWING FNRANCID FILE FOR BACKING UP FORTIGATE DEVICES WITHOUT RSA KEYS AND PASSWORD ENCRYPTION.
NOTE:SUGGESTED TO CHECK THE SCRIPT ONTEST FIREWALL
vi fnrancid
#! /usr/bin/perl
use Getopt::Std;
getopts('dflV');
if ($opt_V) {
print "@PACKAGE@ @VERSION@\n";
exit(0);
}
$log = $opt_l;
$debug = $opt_d;
#$debug = 1;
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
$timeo = 90; # fnlogin timeout in seconds
my(@commandtable, %commands, @commands);# command lists
my($aclsort) = ("ipsort"); # ACL sorting mode
my($filter_commstr); # SNMP community string filtering
my($filter_pwds); # password filtering mode
# This routine is used to print out the router configuration
sub ProcessHistory {
my($new_hist_tag,$new_command,$command_string,@string) = (@_);
if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command))
&& scalar(%history)) {
print eval "$command \%history";
undef %history;
}
if (($new_hist_tag) && ($new_command) && ($command_string)) {
if ($history{$command_string}) {
$history{$command_string} = "$history{$command_string}@string";
} else {
$history{$command_string} = "@string";
}
} elsif (($new_hist_tag) && ($new_command)) {
$history{++$#history} = "@string";
} else {
print "@string";
}
$hist_tag = $new_hist_tag;
$command = $new_command;
1;
}
sub numerically { $a <=> $b; }
# This is a sort routine that will sort numerically on the
# keys of a hash as if it were a normal array.
sub keynsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort numerically keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# keys of a hash as if it were a normal array.
sub keysort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# values of a hash as if it were a normal array.
sub valsort{
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort values %lines) {
$sorted_lines[$i] = $key;
$i++;
}
@sorted_lines;
}
# This is a numerical sort routine (ascending).
sub numsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $num (sort {$a <=> $b} keys %lines) {
$sorted_lines[$i] = $lines{$num};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# ip address when the ip address is anywhere in
# the strings.
sub ipsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $addr (sort sortbyipaddr keys %lines) {
$sorted_lines[$i] = $lines{$addr};
$i++;
}
@sorted_lines;
}
# These two routines will sort based upon IP addresses
sub ipaddrval {
my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#);
$a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0]));
}
sub sortbyipaddr {
&ipaddrval($a) <=> &ipaddrval($b);
}
# This routine parses "get system"
sub GetSystem {
print STDERR " In GetSystem: $_" if ($debug);
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);
next if (/^system time:/i);
next if (/^\s*Virus-DB: .*/);
next if (/^\s*Extended DB: .*/);
next if (/^\s*IPS-DB: .*/);
next if (/^FortiClient application signature package:/);
ProcessHistory("","","","#$_");
}
ProcessHistory("SYSTEM","","","\n");
return(0);
}
sub GetFile {
print STDERR " In GetFile: $_" if ($debug);
while (<INPUT>) {
last if (/$prompt/);
}
ProcessHistory("FILE","","","\n");
return(0);
}
sub GetConf {
print STDERR " In GetConf: $_" if ($debug);
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);
# System time is fortigate extraction time
next if (/^\s*!System time:/);
# remove occurrances of conf_file_ver
next if (/^#?conf_file_ver=/);
# filter cycling RSA private keys
if (/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/) {
ProcessHistory("","","","#$_");
ProcessHistory("","","","# <removed>");
while (<INPUT>) {
tr/\015//d;
last if (/$prompt/);
if (/^\s*-----END RSA PRIVATE KEY-----"/) {
ProcessHistory("","","","#$_");
last;
}
}
}
# filter cycling password encryption
if (/^\s*(set [^\s]*)\s(ENC\s[^\s]+)(.*)/i ) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}
ProcessHistory("","","","$_");
}
$found_end = 1;
return(1);
}
# dummy function
sub DoNothing {print STDOUT;}
# Main
@commandtable = (
{'get system status' => 'GetSystem'},
{'show full-configuration' => 'GetConf'}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@commands = map(keys(%$_), @commandtable);
%commands = map(%$_, @commandtable);
$cisco_cmds=join(";",@commands);
$cmds_regexp = join("|", map quotemeta($_), @commands);
if (length($host) == 0) {
if ($file) {
print(STDERR "Too few arguments: file name required\n");
exit(1);
} else {
print(STDERR "Too few arguments: host name required\n");
exit(1);
}
}
open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n";
select(OUTPUT);
# make OUTPUT unbuffered if debugging
if ($debug) { $| = 1; }
if ($file) {
print STDERR "opening file $host\n" if ($debug);
print STDOUT "opening file $host\n" if ($log);
open(INPUT,"<$host") || die "open failed for $host: $!\n";
} else {
print STDERR "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
print STDOUT "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
if (defined($ENV{NOPIPE}) && $ENV{NOPIPE} =~ /^YES/i) {
system "fnlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "fnlogin failed for $host: $!\n";
open(INPUT, "< $host.raw") || die "fnlogin failed for $host: $!\n";
} else {
open(INPUT,"fnlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "fnlogin failed for $host: $!\n";
}
}
# determine ACL sorting mode
if ($ENV{"ACLSORT"} =~ /no/i) {
$aclsort = "";
}
# determine community string filtering mode
if (defined($ENV{"NOCOMMSTR"}) &&
($ENV{"NOCOMMSTR"} =~ /yes/i || $ENV{"NOCOMMSTR"} =~ /^$/)) {
$filter_commstr = 1;
} else {
$filter_commstr = 0;
}
# determine password filtering mode
if ($ENV{"FILTER_PWDS"} =~ /no/i) {
$filter_pwds = 0;
} elsif ($ENV{"FILTER_PWDS"} =~ /all/i) {
$filter_pwds = 2;
} else {
$filter_pwds = 1;
}
ProcessHistory("","","","#RANCID-CONTENT-TYPE: fortigate\n\n");
TOP: while(<INPUT>) {
tr/\015//d;
if (/^Error:/) {
print STDOUT ("$host fnlogin error: $_");
print STDERR ("$host fnlogin error: $_") if ($debug);
last;
}
while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) {
$cmd = $2;
# - FortiGate prompts end with either '#' or '$'. Further, they may
# be prepended with a '~' if the hostname is too long. Therefore,
# we need to figure out what our prompt really is.
if (!defined($prompt)) {
if ($_ =~ m/^.+\~\$/) {
$prompt = '\~\$ .*';
} else {
if ($_ =~ m/^.+\$/) {
$prompt = ' \$ .*';
} else {
if ($_ =~ m/^.+\~#/) {
$prompt = '\~# .*';
} else {
if ($_ =~ m/^.+#/) {
$prompt = ' # .*';
}
}
}
}
}
print STDERR ("HIT COMMAND:$_") if ($debug);
if (!defined($commands{$cmd})) {
print STDERR "$host: found unexpected command - \"$cmd\"\n";
last TOP;
}
$rval = &{$commands{$cmd}};
delete($commands{$cmd});
if ($rval == -1) {
last TOP;
}
}
}
print STDOUT "Done $logincmd: $_\n" if ($log);
# Flush History
ProcessHistory("","","","");
# Cleanup
close(INPUT);
close(OUTPUT);
if (defined($ENV{NOPIPE}) && $ENV{NOPIPE} =~ /^YES/i) {
unlink("$host.raw") if (! $debug);
}
# check for completeness
if (scalar(%commands) || !$found_end) {
if (scalar(%commands)) {
printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands)));
printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug);
}
if (!$found_end) {
print STDOUT "$found_end: found end\n";
print STDOUT "$host: End of run not found\n";
print STDERR "$host: End of run not found\n" if ($debug);
system("/usr/bin/tail -1 $host.new");
}
unlink "$host.new" if (! $debug);
}
use Getopt::Std;
getopts('dflV');
if ($opt_V) {
print "@PACKAGE@ @VERSION@\n";
exit(0);
}
$log = $opt_l;
$debug = $opt_d;
#$debug = 1;
$file = $opt_f;
$host = $ARGV[0];
$found_end = 0;
$timeo = 90; # fnlogin timeout in seconds
my(@commandtable, %commands, @commands);# command lists
my($aclsort) = ("ipsort"); # ACL sorting mode
my($filter_commstr); # SNMP community string filtering
my($filter_pwds); # password filtering mode
# This routine is used to print out the router configuration
sub ProcessHistory {
my($new_hist_tag,$new_command,$command_string,@string) = (@_);
if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command))
&& scalar(%history)) {
print eval "$command \%history";
undef %history;
}
if (($new_hist_tag) && ($new_command) && ($command_string)) {
if ($history{$command_string}) {
$history{$command_string} = "$history{$command_string}@string";
} else {
$history{$command_string} = "@string";
}
} elsif (($new_hist_tag) && ($new_command)) {
$history{++$#history} = "@string";
} else {
print "@string";
}
$hist_tag = $new_hist_tag;
$command = $new_command;
1;
}
sub numerically { $a <=> $b; }
# This is a sort routine that will sort numerically on the
# keys of a hash as if it were a normal array.
sub keynsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort numerically keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# keys of a hash as if it were a normal array.
sub keysort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort keys(%lines)) {
$sorted_lines[$i] = $lines{$key};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# values of a hash as if it were a normal array.
sub valsort{
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $key (sort values %lines) {
$sorted_lines[$i] = $key;
$i++;
}
@sorted_lines;
}
# This is a numerical sort routine (ascending).
sub numsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $num (sort {$a <=> $b} keys %lines) {
$sorted_lines[$i] = $lines{$num};
$i++;
}
@sorted_lines;
}
# This is a sort routine that will sort on the
# ip address when the ip address is anywhere in
# the strings.
sub ipsort {
local(%lines) = @_;
local($i) = 0;
local(@sorted_lines);
foreach $addr (sort sortbyipaddr keys %lines) {
$sorted_lines[$i] = $lines{$addr};
$i++;
}
@sorted_lines;
}
# These two routines will sort based upon IP addresses
sub ipaddrval {
my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#);
$a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0]));
}
sub sortbyipaddr {
&ipaddrval($a) <=> &ipaddrval($b);
}
# This routine parses "get system"
sub GetSystem {
print STDERR " In GetSystem: $_" if ($debug);
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);
next if (/^system time:/i);
next if (/^\s*Virus-DB: .*/);
next if (/^\s*Extended DB: .*/);
next if (/^\s*IPS-DB: .*/);
next if (/^FortiClient application signature package:/);
ProcessHistory("","","","#$_");
}
ProcessHistory("SYSTEM","","","\n");
return(0);
}
sub GetFile {
print STDERR " In GetFile: $_" if ($debug);
while (<INPUT>) {
last if (/$prompt/);
}
ProcessHistory("FILE","","","\n");
return(0);
}
sub GetConf {
print STDERR " In GetConf: $_" if ($debug);
while (<INPUT>) {
tr/\015//d;
next if /^\s*$/;
last if (/$prompt/);
# System time is fortigate extraction time
next if (/^\s*!System time:/);
# remove occurrances of conf_file_ver
next if (/^#?conf_file_ver=/);
# filter cycling RSA private keys
if (/^\s*set private-key "-----BEGIN RSA PRIVATE KEY-----/) {
ProcessHistory("","","","#$_");
ProcessHistory("","","","# <removed>");
while (<INPUT>) {
tr/\015//d;
last if (/$prompt/);
if (/^\s*-----END RSA PRIVATE KEY-----"/) {
ProcessHistory("","","","#$_");
last;
}
}
}
# filter cycling password encryption
if (/^\s*(set [^\s]*)\s(ENC\s[^\s]+)(.*)/i ) {
ProcessHistory("ENC","","","#$1 ENC <removed> $3\n");
next;
}
ProcessHistory("","","","$_");
}
$found_end = 1;
return(1);
}
# dummy function
sub DoNothing {print STDOUT;}
# Main
@commandtable = (
{'get system status' => 'GetSystem'},
{'show full-configuration' => 'GetConf'}
);
# Use an array to preserve the order of the commands and a hash for mapping
# commands to the subroutine and track commands that have been completed.
@commands = map(keys(%$_), @commandtable);
%commands = map(%$_, @commandtable);
$cisco_cmds=join(";",@commands);
$cmds_regexp = join("|", map quotemeta($_), @commands);
if (length($host) == 0) {
if ($file) {
print(STDERR "Too few arguments: file name required\n");
exit(1);
} else {
print(STDERR "Too few arguments: host name required\n");
exit(1);
}
}
open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n";
select(OUTPUT);
# make OUTPUT unbuffered if debugging
if ($debug) { $| = 1; }
if ($file) {
print STDERR "opening file $host\n" if ($debug);
print STDOUT "opening file $host\n" if ($log);
open(INPUT,"<$host") || die "open failed for $host: $!\n";
} else {
print STDERR "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug);
print STDOUT "executing fnlogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log);
if (defined($ENV{NOPIPE}) && $ENV{NOPIPE} =~ /^YES/i) {
system "fnlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null > $host.raw 2>&1" || die "fnlogin failed for $host: $!\n";
open(INPUT, "< $host.raw") || die "fnlogin failed for $host: $!\n";
} else {
open(INPUT,"fnlogin -t $timeo -c \"$cisco_cmds\" $host </dev/null |") || die "fnlogin failed for $host: $!\n";
}
}
# determine ACL sorting mode
if ($ENV{"ACLSORT"} =~ /no/i) {
$aclsort = "";
}
# determine community string filtering mode
if (defined($ENV{"NOCOMMSTR"}) &&
($ENV{"NOCOMMSTR"} =~ /yes/i || $ENV{"NOCOMMSTR"} =~ /^$/)) {
$filter_commstr = 1;
} else {
$filter_commstr = 0;
}
# determine password filtering mode
if ($ENV{"FILTER_PWDS"} =~ /no/i) {
$filter_pwds = 0;
} elsif ($ENV{"FILTER_PWDS"} =~ /all/i) {
$filter_pwds = 2;
} else {
$filter_pwds = 1;
}
ProcessHistory("","","","#RANCID-CONTENT-TYPE: fortigate\n\n");
TOP: while(<INPUT>) {
tr/\015//d;
if (/^Error:/) {
print STDOUT ("$host fnlogin error: $_");
print STDERR ("$host fnlogin error: $_") if ($debug);
last;
}
while (/^.+(#|\$)\s*($cmds_regexp)\s*$/) {
$cmd = $2;
# - FortiGate prompts end with either '#' or '$'. Further, they may
# be prepended with a '~' if the hostname is too long. Therefore,
# we need to figure out what our prompt really is.
if (!defined($prompt)) {
if ($_ =~ m/^.+\~\$/) {
$prompt = '\~\$ .*';
} else {
if ($_ =~ m/^.+\$/) {
$prompt = ' \$ .*';
} else {
if ($_ =~ m/^.+\~#/) {
$prompt = '\~# .*';
} else {
if ($_ =~ m/^.+#/) {
$prompt = ' # .*';
}
}
}
}
}
print STDERR ("HIT COMMAND:$_") if ($debug);
if (!defined($commands{$cmd})) {
print STDERR "$host: found unexpected command - \"$cmd\"\n";
last TOP;
}
$rval = &{$commands{$cmd}};
delete($commands{$cmd});
if ($rval == -1) {
last TOP;
}
}
}
print STDOUT "Done $logincmd: $_\n" if ($log);
# Flush History
ProcessHistory("","","","");
# Cleanup
close(INPUT);
close(OUTPUT);
if (defined($ENV{NOPIPE}) && $ENV{NOPIPE} =~ /^YES/i) {
unlink("$host.raw") if (! $debug);
}
# check for completeness
if (scalar(%commands) || !$found_end) {
if (scalar(%commands)) {
printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands)));
printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug);
}
if (!$found_end) {
print STDOUT "$found_end: found end\n";
print STDOUT "$host: End of run not found\n";
print STDERR "$host: End of run not found\n" if ($debug);
system("/usr/bin/tail -1 $host.new");
}
unlink "$host.new" if (! $debug);
}
Comments
Post a Comment