def testValues_sync_diff_09():
"""Test diffs with explicit ignore_order=True"""
## config_01 is the starting point
config_01 = ['!',
'vlan 51',
' state active',
'vlan 53',
'!',
'vtp mode transparent',
]
required_config = ['!',
'vtp mode transparent',
'vlan 51',
' name SOME-VLAN',
' state active',
'vlan 52',
' name BLAH',
' state active',
'!',]
result_correct = [
'no vlan 53',
'vlan 51',
' name SOME-VLAN',
'vlan 52',
' name BLAH',
' state active',
]
linespec = r'vlan\s+\S+|name\s+\S+|state.+|vtp'
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec, ignore_order=True)
assert result_correct==test_result
def testValues_sync_diff_06():
"""Test diffs against double-spacing for children (such as NXOS)"""
## config_01 is the starting point
config_01 = ['!',
'vlan 51',
' state active',
'vlan 53',
'!',
]
required_config = ['!',
'vlan 51',
' name SOME-VLAN',
' state active',
'vlan 52',
' name BLAH',
' state active',
'!',]
result_correct = ['no vlan 53', 'vlan 51', ' name SOME-VLAN', 'vlan 52',
' name BLAH', ' state active']
linespec = r'vlan\s+\S+|name\s+\S+|state.+'
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec)
assert result_correct==test_result
def testValues_sync_diff_07():
"""Test diffs with remove_lines=False"""
## config_01 is the starting point
config_01 = ['!',
'vlan 51',
' state active',
'vlan 53',
'!',
'vtp mode transparent',
]
required_config = ['!',
'vlan 51',
' name SOME-VLAN',
' state active',
'vlan 52',
' name BLAH',
' state active',
'!',]
result_correct = ['vlan 51', ' name SOME-VLAN', 'vlan 52',
' name BLAH', ' state active']
linespec = r'vlan\s+\S+|name\s+\S+|state.+'
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec, remove_lines=False)
assert result_correct==test_result
def testValues_sync_diff_09():
"""Test diffs with explicit ignore_order=True"""
## config_01 is the starting point
config_01 = ['!',
'vlan 51',
' state active',
'vlan 53',
'!',
'vtp mode transparent',
]
required_config = ['!',
'vtp mode transparent',
'vlan 51',
' name SOME-VLAN',
' state active',
'vlan 52',
' name BLAH',
' state active',
'!',]
result_correct = [
'no vlan 53',
'vlan 51',
' name SOME-VLAN',
'vlan 52',
' name BLAH',
' state active',
]
linespec = r'vlan\s+\S+|name\s+\S+|state.+|vtp'
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec, ignore_order=True)
assert result_correct==test_result
def testValues_sync_diff_07():
"""Test diffs with remove_lines=False"""
## config_01 is the starting point
config_01 = ['!',
'vlan 51',
' state active',
'vlan 53',
'!',
'vtp mode transparent',
]
required_config = ['!',
'vlan 51',
' name SOME-VLAN',
' state active',
'vlan 52',
' name BLAH',
' state active',
'!',]
result_correct = ['vlan 51', ' name SOME-VLAN', 'vlan 52',
' name BLAH', ' state active']
linespec = r'vlan\s+\S+|name\s+\S+|state.+'
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec, remove_lines=False)
assert result_correct==test_result
def testValues_sync_diff_06():
"""Test diffs against double-spacing for children (such as NXOS)"""
## config_01 is the starting point
config_01 = ['!',
'vlan 51',
' state active',
'vlan 53',
'!',
]
required_config = ['!',
'vlan 51',
' name SOME-VLAN',
' state active',
'vlan 52',
' name BLAH',
' state active',
'!',]
result_correct = ['no vlan 53', 'vlan 51', ' name SOME-VLAN', 'vlan 52',
' name BLAH', ' state active']
linespec = r'vlan\s+\S+|name\s+\S+|state.+'
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec)
assert result_correct==test_result
def testValues_sync_diff_04():
"""Test diffs against double-spacing for children (such as NXOS)"""
## config_01 is the starting point
config_01 = [
'!', 'interface GigabitEthernet 1/5',
' ip address 1.1.1.2 255.255.255.0', ' standby 5 ip 1.1.1.1',
' standby 5 preempt', '!'
]
required_config = [
'!',
'interface GigabitEthernet 1/5',
' switchport',
' switchport mode access',
' switchport access vlan 5',
' switchport nonegotiate',
'!',
'interface Vlan5',
' no shutdown',
' ip address 1.1.1.2 255.255.255.0',
' standby 5 ip 1.1.1.1',
' standby 5 preempt',
'!',
]
result_correct = [
'interface GigabitEthernet 1/5',
' no ip address 1.1.1.2 255.255.255.0',
' no standby 5 ip 1.1.1.1',
' no standby 5 preempt',
'interface GigabitEthernet 1/5',
' switchport',
' switchport mode access',
' switchport access vlan 5',
' switchport nonegotiate',
'interface Vlan5',
' no shutdown',
' ip address 1.1.1.2 255.255.255.0',
' standby 5 ip 1.1.1.1',
' standby 5 preempt',
]
linespec = r''
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec)
assert result_correct == test_result
def testValues_sync_diff_04():
"""Test diffs against double-spacing for children (such as NXOS)"""
## config_01 is the starting point
config_01 = ['!',
'interface GigabitEthernet 1/5',
' ip address 1.1.1.2 255.255.255.0',
' standby 5 ip 1.1.1.1',
' standby 5 preempt',
'!']
required_config = ['!',
'interface GigabitEthernet 1/5',
' switchport',
' switchport mode access',
' switchport access vlan 5',
' switchport nonegotiate',
'!',
'interface Vlan5',
' no shutdown',
' ip address 1.1.1.2 255.255.255.0',
' standby 5 ip 1.1.1.1',
' standby 5 preempt',
'!',
]
result_correct = ['interface GigabitEthernet 1/5',
' no ip address 1.1.1.2 255.255.255.0',
' no standby 5 ip 1.1.1.1',
' no standby 5 preempt',
'interface GigabitEthernet 1/5',
' switchport',
' switchport mode access',
' switchport access vlan 5',
' switchport nonegotiate',
'interface Vlan5',
' no shutdown',
' ip address 1.1.1.2 255.255.255.0',
' standby 5 ip 1.1.1.1',
' standby 5 preempt',
]
linespec = r''
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec)
assert result_correct==test_result
def testValues_sync_diff_05():
## config_01 is the starting point
config_01 = ['!',
'vlan 51',
' state active',
'vlan 53',
'!']
required_config = ['!',
'vlan 51',
' name SOME-VLAN',
' state active',
'vlan 52',
' name BLAH',
' state active',
'!',]
result_correct = ['no vlan 53', 'vlan 51', ' name SOME-VLAN', 'vlan 52',
' name BLAH', ' state active']
linespec = r'vlan\s+\S+|name\s+\S+|state.+'
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec)
assert result_correct==test_result
def testValues_sync_diff_05():
## config_01 is the starting point
config_01 = ['!',
'vlan 51',
' state active',
'vlan 53',
'!']
required_config = ['!',
'vlan 51',
' name SOME-VLAN',
' state active',
'vlan 52',
' name BLAH',
' state active',
'!',]
result_correct = ['no vlan 53', 'vlan 51', ' name SOME-VLAN', 'vlan 52',
' name BLAH', ' state active']
linespec = r'vlan\s+\S+|name\s+\S+|state.+'
parse = CiscoConfParse(config_01)
test_result = parse.sync_diff(required_config, linespec, linespec)
assert result_correct==test_result
!""".splitlines()
try:
CONFIG_PATH = glob(sys.argv[1])
except IndexError:
raise ValueError(
"This script must be called with a config path-glob to be audited as the argument"
)
secret = getpass('Enable Secret: ')
for filename in CONFIG_PATH:
print "--- {0} ---".format(filename)
parse = CiscoConfParse(filename)
# Print out simple diff conditions - i.e. no regexp matching...
print os.linesep.join(parse.sync_diff(RECOMMENDED, '', remove_lines=False))
# Default enable secret config...
default_enab_sec = 'enable secret {0}'.format(secret)
try:
# Build an enable secret string...
enab_sec_regex = r'^enable\s+secret\s+(\d+)\s+\S+'
# Get the encryption level as an int...
enab_sec_level = parse.find_objects(
enab_sec_regex, )[0].re_match_typed(enab_sec_regex,
group=1,
default=-1,
result_type=int)
if enab_sec_level == 0:
print default_enab_sec
except IndexError:
def cisco_audit_diff(node_object, index, template, AUDIT_FILTER_RE, output,
remediation):
### INDEX_LIST IS A LIST OF ALL THE POSITIONS COLLECTED FROM INDEX_POSITION VARIABLE
index_list = []
### FILTER_CONFIG IS A LIST OF COLLECTION OF ALL THE AUDIT FILTERS THAT MATCHED THE LINES IN BACKUP_CONFIG. THESE ENTRIES DO NOT CONTAIN DEPTHS/DEEP CONFIGS
filtered_config = []
### FILTERED_BACKUP_CONFIG IS THE FINAL LIST OF ALL THE AUDIT FILTERS THAT MATCHES THE LINES IN BACKUP_CONFIG. THESE ENTRIES INCLUDE DEPTHS/DEEP CONFIGS
filtered_backup_config = []
### THIS SECTION OF CODE WILL OPEN THE RENDERED-CONFIG *.CONF FILE AND STORE IN RENDERED_CONFIG AS A LIST
f = open(
"/rendered-configs/{}.{}".format(node_object[index]['hostname'],
template.split('.')[0]) + ".conf",
"r")
init_config = f.readlines()
# print"INIT_CONFIG: {}".format(init_config)
### RENDERED_CONFIG IS A LIST OF ALL THE CONFIGS THAT WAS RENDERED FROM THE TEMPLATES (SOURCE OF TRUTH)
rendered_config = []
for config_line in init_config:
strip_config = config_line.strip('\n')
### THIS WILL REMOVE ANY LINES THAT ARE EMPTY OR HAS A '!' MARK
if (strip_config == '' or strip_config == "!"):
continue
else:
rendered_config.append(strip_config)
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print ("RENDERED CONFIG: {}".format(rendered_config))
### THIS SECTION OF CODE WILL OPEN BACKUP-CONFIG *.CONF FILE AND STORE IN BACKUP_CONFIG AS A LIST
f = open(
"/backup-configs/{}".format(node_object[index]['hostname']) + ".conf",
"r")
init_config = f.readlines()
backup_config = []
for config_line in init_config:
strip_config = config_line.strip('\n')
backup_config.append(strip_config)
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print ("BACKUP CONFIG: {}".format(backup_config))
### THIS WILL OPEN THE JINJA2 TEMPLATE AND PARSE OUT THE AUDIT_FILTER SECTION VIA REGULAR EXPRESSION
directory = get_template_directory(node_object[index]['platform'],
node_object[index]['opersys'],
node_object[index]['type'])
f = open("{}".format(directory) + template, "r")
parse_audit = f.readline()
audit_filter = eval(re.findall(AUDIT_FILTER_RE, parse_audit)[0])
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print ("AUDIT_FILTER: {}".format(audit_filter))
### FILTER OUT THE BACKUP_CONFIGS WITH THE AUDIT_FILTER
### THIS WILL TAKE EACH ELEMENT FROM THE AUDIT_FILTER LIST AND SEARCH FOR THE MATCHED LINES IN BACKUP_CONFIG
### PARSING THE BACKUP CONFIGS
parse_backup_configs = CiscoConfParse(
"/backup-configs/{}".format(node_object[index]['hostname']) + ".conf",
syntax=get_syntax(node_object, index))
# print "SYNTAX: {}".format(get_syntax(node_object,index))
### MATCHED ENTRIES ARE THEN APPENDED TO FILTER_BACKUP_CONFIG VARIABLE AS A LIST
### FUNCTION CALL TO PARSE_AUDIT_FILTER() TO FIND ALL THE PARENT/CHILD
filtered_backup_config = parse_audit_filter(node_object, index,
parse_backup_configs,
audit_filter)
### UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print("FILTERED BACKUP CONFIG: {}".format(filtered_backup_config))
### SYNC_DIFF WILL DIFF OUT THE FILTERED_BACKUP_COFNIG FROM THE RENDERED CONFIG AND STORE WHATEVER COMMANDS THAT
### COMMANDS THAT NEED TO BE ADDED/REMOVE IN PUSH_CONFIGS VARIABLE
parse = CiscoConfParse(filtered_backup_config)
push_configs = parse.sync_diff(rendered_config,
"",
ignore_order=True,
remove_lines=True,
debug=False)
if (len(push_configs) == 0):
if (output):
print("{}{} (none)".format(directory, template))
print('')
else:
### THIS WILL JUST PRINT THE HEADING OF THE TEMPLATE NAME SO YOU KNOW WHAT IS BEING CHANGED UNDER WHICH TEMPLATE
if (output):
print("{}{}".format(directory, template))
for line in push_configs:
search = parse_backup_configs.find_objects(r"^{}".format(line))
if ('no' in line):
line = re.sub("no", "", line)
if (not remediation):
print("-{}".format(line))
elif (len(search) == 0):
if (not remediation):
print("+ {}".format(line))
elif (len(search) > 1):
if (not remediation):
print("+ {}".format(line))
else:
if (not remediation):
print(" {}".format(line))
print("")
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print("PUSH_CONFIGS: {}".format(push_configs))
if (remediation):
### THIS STEP WILL APPEND REMEDIATION CONFIGS FROM TEMPLATE (EXPECTED RESULTS)
for config in push_configs:
node_configs.append(config)
ntw_device_pop = False
### INITIALIZE.COFIGURATION APPENDS ALL THE REMEDIATED CONFIGS AND PREPARES IT FOR PUSH
if (auditcreeper == False):
initialize.configuration.append(node_configs)
node_index = node_index + 1
def generic_audit_diff(node_object, index, template, template_list,
AUDIT_FILTER_RE, output, with_remediation):
for template in template_list:
filtered_backup_config = []
rendered_config = []
backup_config = []
commands = []
"""
:param filtered_backup_config: Audit filters that matches the lines in backup_config. Entries include depths/deep configs.
:type filtered_backup_config: list
:param rendered_config: Rendered configs from the templates.
:type rendered_config: list
:param backup_config: Backup configs from the 'show run', 'list ltm' etc...
:type backup_config: list
:param commands: ... Configurations generated from the diff'ed output.
:type commands: list
"""
f = open(
"{}/rendered-configs/{}.{}".format(
home_directory, node_object[index]['name'],
template.split('.')[0]) + ".conf", "r")
init_config = f.readlines()
for config_line in init_config:
strip_config = config_line.strip('\n')
if (strip_config == '' or strip_config == "!"):
continue
else:
rendered_config.append(strip_config)
f = open(
"{}/backup-configs/{}".format(
home_directory, node_object[index]['name']) + ".conf", "r")
init_config = f.readlines()
for config_line in init_config:
strip_config = config_line.strip('\n')
backup_config.append(strip_config)
directory = get_template_directory(
node_object[index]['hardware_vendor'],
node_object[index]['opersys'], node_object[index]['type'])
f = open("{}".format(directory) + template, "r")
parse_audit = f.readline()
"""
This will take each element from the audit_filter list and search for the matched lines in backup_config.
"""
audit_filter = eval(re.findall(AUDIT_FILTER_RE, parse_audit)[0])
parse_backup_configs = CiscoConfParse("{}/backup-configs/{}".format(
home_directory, node_object[index]['name']) + ".conf",
syntax=get_syntax(
node_object, index))
"""
Matched entries are then appended to the filter_backup_config variable. parse_audit_filter() call will find all parent/child.
"""
filtered_backup_config = parse_audit_filter(node_object, index,
parse_backup_configs,
audit_filter)
"""
sync_diff() will diff out the filtered_backup_config from the rendered_configs and store whatever commands that has deltas.
"""
parse = CiscoConfParse(filtered_backup_config)
push_configs = parse.sync_diff(rendered_config,
"",
ignore_order=True,
remove_lines=True,
debug=False)
"""
If there are no diffs and only and audit diff is executed, (none) will be printed to show users the result. However, if there are no diffs but a push cfgs
if executed resulting in output set as false, an empty list is appended.
"""
if (len(push_configs) == 0):
if output:
print("{}{} (none)".format(directory, template))
print('')
else:
initialize.configuration.append([])
print('There are no diffs to be pushed for template {} on {}'.
format(template, node_object[index]['name']))
if len(initialize.element) == 0:
break
else:
"""
If an audit diff is executed, the diff is outputed to user. If a push cfgs is executed against Cisco like platforms, the commands from the diff are executed
with the negation (no). This is to maintain the sequence of the the commands in order to match the jinja2 templates. What you see on the template is what the
users want exactly as the running-configurations. The with_remediation flag is no longer required on the template itself as it may cause disruptions to
services. For example, blowing out an entire logging configs (no logging) and readding all the logging host back on.
"""
if output:
print("{}{}".format(directory, template))
for line in push_configs:
search = parse_backup_configs.find_objects(
r"^{}".format(line))
if re.search(r'^no', line) or re.search(r'\sno', line):
line = re.sub("no", "", line)
print("-{}".format(line))
elif (len(search) == 0):
print("+ {}".format(line))
elif (len(search) > 1):
print("+ {}".format(line))
else:
print(" {}".format(line))
else:
for line in push_configs:
commands.append(line)
initialize.configuration.append(commands)
print("")
# if(with_remediation):
# for config in push_configs:
# node_configs.append(config)
# ntw_device_pop = False
# if(auditcreeper == False):
# initialize.configuration.append(node_configs)
# node_index = node_index + 1
return None
pass
elif re.match(r'^\s*$', line) :
pass
elif re.search(r'^\[', line) :
chunkName = re.sub(r'[\[\]]', '', line)
line = cf.readline()
line = line.rstrip('\r\n')
linespec = line
line = cf.readline()
line = line.rstrip('\r\n')
req = []
while line :
if re.search(r'^#', line) :
pass
elif re.match(r'^\s*$', line) :
pass
else :
req.append(line);
line = cf.readline()
line = line.rstrip('\r\n')
diffs = parse.sync_diff(req, linespec)
print '!!! Auditing', chunkName
for i in diffs :
print i
else :
pass
line = cf.readline()
cf.close()
def auditdiff_engine(template_list, node_object, auditcreeper, output,
remediation):
controller = 'get_config'
command = ''
### PUSH_CONFIGS IS A LIST OF THE FINAL CONFIGS TO BE PUSHED
# push_configs = []
### INDEX_POSITION IS THE INDEX OF ALL THE MATCHED FILTER_CONFIG AGAINST THE BACKUP_CONFIGS. THE INDEX IS COMING FROM THE BACKUP_CONFIG
index_position = 0
### NODE_INDEX KEEPS TRACK OF THE INDEX IN INITIALIZE.NTW_DEVICE. IF REMEDIATION IS NOT REQUIRED (CONFIGS MATCHES TEMPLATE), THEN THE NODE IS POPPED OFF
### INITIALIZE.NTW_DEVICE AND NOTHING IS CHANGED ON THAT DEVICE
node_index = 0
### AUDIT_FILTER_RE IS THE REGULAR EXPRESSION TO FILTER OUT THE AUDIT FILTER IN EVERY TEMPLATE
AUDIT_FILTER_RE = r"\[.*\]"
### TEMPLATE_LIST_COPY TAKE A COPY OF THE CURRENT TEMPLATE_LIST
template_list_copy = template_list
if (auditcreeper):
template_list = template_list_copy[0]
print("[+] [COMPUTING DIFF. STANDBY...]")
multithread_engine(initialize.ntw_device, controller, command)
### THIS FOR LOOP WILL LOOP THROUGH ALL THE MATCHED ELEMENTS FROM THE USER SEARCH AND AUDIT ON SPECIFIC TEMPLATE OR IF NO ARGUMENT IS GIVEN, ALL TEMPLATES
for index in initialize.element:
### NODE_CONFIG IS THE FINALIZED CONFIG TO PUSH TO THE NODE FOR REMEDIATION
node_configs = []
ntw_device_pop = True
### TEMPLATE_NAME IS SET TO TRUE IN ORDER TO PRINT OUT THE TEMPLATE HEADING WHEN RECURSING
template_name = True
if (not remediation):
print("Only in the device: -")
print("Only in the generated config: +")
print("{}".format(node_object[index]['hostname']))
### THIS WILL LOOP THROUGH ALL THE TEMPLATES SPECIFIED FOR THE PARTICULAR HOST IN NODES.YAML
for template in template_list:
### INDEX_LIST IS A LIST OF ALL THE POSITIONS COLLECTED FROM INDEX_POSITION VARIABLE
index_list = []
### FILTER_CONFIG IS A LIST OF COLLECTION OF ALL THE AUDIT FILTERS THAT MATCHED THE LINES IN BACKUP_CONFIG. THESE ENTRIES DO NOT CONTAIN DEPTHS/DEEP CONFIGS
filtered_config = []
### FILTERED_BACKUP_CONFIG IS THE FINAL LIST OF ALL THE AUDIT FILTERS THAT MATCHES THE LINES IN BACKUP_CONFIG. THESE ENTRIES INCLUDE DEPTHS/DEEP CONFIGS
filtered_backup_config = []
### THIS SECTION OF CODE WILL PROCESS THE TEMPLATE AND OUTPUT TO A *.CONF FILE
directory = get_directory(node_object[index]['platform'],
node_object[index]['os'],
node_object[index]['type'])
env = Environment(loader=FileSystemLoader("{}".format(directory)))
baseline = env.get_template(template)
f = open(
"/rendered-configs/{}".format(node_object[index]['hostname']) +
".conf", "w")
### GENERATING TEMPLATE BASED ON NODE OBJECT
config = baseline.render(nodes=node_object[index])
f.write(config)
f.close
### THIS SECTION OF CODE WILL OPEN THE RENDERED-CONFIG *.CONF FILE AND STORE IN RENDERED_CONFIG AS A LIST
f = open(
"/rendered-configs/{}".format(node_object[index]['hostname']) +
".conf", "r")
init_config = f.readlines()
### RENDERED_CONFIG IS A LIST OF ALL THE CONFIGS THAT WAS RENDERED FROM THE TEMPLATES (SOURCE OF TRUTH)
rendered_config = []
for config_line in init_config:
strip_config = config_line.strip('\n')
### THIS WILL REMOVE ANY LINES THAT ARE EMPTY OR HAS A '!' MARK
if (strip_config == '' or strip_config == "!"):
continue
else:
rendered_config.append(strip_config)
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print ("RENDERED CONFIG: {}".format(rendered_config))
### THIS SECTION OF CODE WILL OPEN BACKUP-CONFIG *.CONF FILE AND STORE IN BACKUP_CONFIG AS A LIST
f = open(
"/backup-configs/{}".format(node_object[index]['hostname']) +
".conf", "r")
init_config = f.readlines()
backup_config = []
for config_line in init_config:
strip_config = config_line.strip('\n')
backup_config.append(strip_config)
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print ("BACKUP CONFIG: {}".format(backup_config))
### THIS WILL OPEN THE JINJA2 TEMPLATE AND PARSE OUT THE AUDIT_FILTER SECTION VIA REGULAR EXPRESSION
directory = get_directory(node_object[index]['platform'],
node_object[index]['os'],
node_object[index]['type'])
f = open("{}".format(directory) + template, "r")
parse_audit = f.readline()
audit_filter = eval(re.findall(AUDIT_FILTER_RE, parse_audit)[0])
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print ("AUDIT_FILTER: {}".format(audit_filter))
### FILTER OUT THE BACKUP_CONFIGS WITH THE AUDIT_FILTER
### THIS WILL TAKE EACH ELEMENT FROM THE AUDIT_FILTER LIST AND SEARCH FOR THE MATCHED LINES IN BACKUP_CONFIG
### MATCHED ENTRIES ARE THEN APPENDED TO FILTER_CONFIG VARIABLE AS A LIST
parse_backup_configs = CiscoConfParse(
"/backup-configs/{}".format(node_object[index]['hostname']) +
".conf")
for audit in audit_filter:
current_template = parse_backup_configs.find_objects(
r"^{}".format(audit))
for audit_string in current_template:
filtered_backup_config.append(audit_string.text)
if (audit_string.is_parent):
for child in audit_string.all_children:
filtered_backup_config.append(child.text)
### UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print("FILTERED BACKUP CONFIG: {}".format(filtered_backup_config))
### SYNC_DIFF WILL DIFF OUT THE FILTERED_BACKUP_COFNIG FROM THE RENDERED CONFIG AND STORE WHATEVER COMMANDS THAT
### NEEDS TO BE ADDED/REMOVE IN PUSH_CONFIGS VARIABLE
parse = CiscoConfParse(filtered_backup_config)
push_configs = parse.sync_diff(rendered_config,
"",
ignore_order=True,
remove_lines=True,
debug=False)
if (len(push_configs) == 0):
if (output):
print("{}{} (none)".format(directory, template))
print
else:
### THIS WILL JUST PRINT THE HEADING OF THE TEMPLATE NAME SO YOU KNOW WHAT IS BEING CHANGED UNDER WHICH TEMPLATE
if (output):
print("{}{}".format(directory, template))
for line in push_configs:
search = parse_backup_configs.find_objects(
r"^{}".format(line))
if ('no' in line):
line = re.sub("no", "", line)
if (not remediation):
print("-{}".format(line))
elif (len(search) == 0):
if (not remediation):
print("+ {}".format(line))
elif (len(search) > 1):
if (not remediation):
print("+ {}".format(line))
else:
if (not remediation):
print(" {}".format(line))
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print("PUSH_CONFIGS: {}".format(push_configs))
if (remediation):
### THIS STEP WILL APPEND REMEDIATION CONFIGS FROM TEMPLATE (EXPECTED RESULTS)
for config in push_configs:
node_configs.append(config)
ntw_device_pop = False
### INITIALIZE.COFIGURATION APPENDS ALL THE REMEDIATED CONFIGS AND PREPARES IT FOR PUSH
if (auditcreeper == False):
initialize.configuration.append(node_configs)
node_index = node_index + 1
if (auditcreeper):
initialize.configuration.append(node_configs)
if (ntw_device_pop == True):
initialize.ntw_device.pop(node_index)
initialize.configuration.pop(node_index)
template_list = get_template(template_list_copy)
# if(remediation):
# print("[+]: PUSH ENABLED")
# print("[!]: PUSH DISABLED")
return None
logging synchronous
transport preferred none
!""".splitlines()
try:
CONFIG_PATH = glob(sys.argv[1])
except IndexError:
raise ValueError("This script must be called with a config path-glob to be audited as the argument")
secret = getpass('Enable Secret: ')
for filename in CONFIG_PATH:
print "--- {0} ---".format(filename)
parse = CiscoConfParse(filename)
# Print out simple diff conditions - i.e. no regexp matching...
print os.linesep.join(parse.sync_diff(RECOMMENDED, '', remove_lines=False))
# Default enable secret config...
default_enab_sec = 'enable secret {0}'.format(secret)
try:
# Build an enable secret string...
enab_sec_regex = r'^enable\s+secret\s+(\d+)\s+\S+'
# Get the encryption level as an int...
enab_sec_level = parse.find_objects(enab_sec_regex,
)[0].re_match_typed(enab_sec_regex, group=1, default=-1,
result_type=int)
if enab_sec_level==0:
print default_enab_sec
except IndexError:
print default_enab_sec
