def search_template(template_list, match_node, node_template, node_object, auditcreeper): """ This function will take the search results from the list of nodes and run it against node_object to determine the hardware vendor and type and compare with the node_template database to match. Once matched, it will check to verify an existing template is available. """ search_result = [] index = 0 element = 0 for node in match_node: for node_obj in node_object: if node == node_obj['name']: """ index variable gets the position in the list and appends it to the global variable 'element'. """ index = node_object.index(node_obj) initialize.element.append(index) """ This section will pull out all the templates belonging to the specific hardware vendor, operating system and type from the template database. """ for node_temp in node_template: if node_obj['hardware_vendor'] == node_temp[ 'hardware_vendor'] and node_obj[ 'opersys'] == node_temp['opersys'] and node_obj[ 'type'] == node_temp['type']: if auditcreeper: template_node_list = [] for template_dir_name in node_temp['templates']: template_name = template_dir_name.split( '/')[-1] template_node_list.append(template_name) template_list.append(template_node_list) else: directory = get_template_directory( node_obj['hardware_vendor'], node_obj['opersys'], node_obj['type']) file = directory + template_list[element] template_index = 0 for template_path in node_temp['templates']: node_temp['templates'][ template_index] = template_path.replace( '~', '{}'.format(get_home_directory())) template_index = template_index + 1 if file in node_temp['templates']: search_result.append("MATCH") else: print('+ No associating template {}'.format( template_list[element]) + ' for node {}'.format(node)) search_result.append("NO MATCH") else: continue else: continue return search_result
def search_template(template_list, match_node, node_template, node_object, auditcreeper): search_result = [] index = 0 element = 0 for node in match_node: for node_obj in node_object: if (node in node_obj['hostname']): ### INDEX GETS THE POSITION IN THE LIST AND APPENDS IT TO THE GLOBAL VARIABLE ELEMENT index = node_object.index(node_obj) initialize.element.append(index) ### THIS SECTION WILL PULL OUT ALL THE TEMPLATES BELONGING TO THE SPECIFIC PLATFORM, OS AND TYPE OF DEVICE FROM THE TEMPLATE DATABASE for node_temp in node_template: if (node_obj['platform'] == node_temp['platform'] and node_obj['os'] == node_temp['os'] and node_obj['type'] == node_temp['type']): # print("NODE_TEMP: {}".format(node_temp['templates'])) if (auditcreeper): template_node_list = [] # print("THIS IS NODE_TEMP['TEMPLATE'] for NODE {}".format(node) + ": {}".format(node_temp['templates'],)) for template_dir_name in node_temp['templates']: template_name = template_dir_name.split( '/')[-1] template_node_list.append(template_name) template_list.append(template_node_list) # print("THIS IS THE TEMPLATE_NODE_LIST FOR HOST {} : {}".format(node,template_node_list)) # print("THIS IS THE TEMPLATE_LIST IN SEARCH.PY : {}".format(template_list)) else: ### THIS CALLS THE DIRECTORY MODULE WHICH WILL RETURN THE CORRECT DIRECTORY PATH BASED ON DEVICE PLATFORM, OS AND TYPE directory = get_template_directory( node_obj['platform'], node_obj['os'], node_obj['type']) file = directory + template_list[element] if (file in node_temp['templates']): search_result.append("MATCH") else: print("[!] [NO ASSOCIATING TEMPLATE {}".format( template_list[element]) + " FOR NODE {}]".format(node)) search_result.append("NO MATCH") else: continue else: continue # print("TEMPLATE_LIST IN SEARCH.PY: {}".format(template_list)) return search_result
def render(template_list, node_object, auditcreeper, output, with_remediation): ### TEMPLATE_LIST_COPY TAKE A COPY OF THE CURRENT TEMPLATE_LIST template_list_copy = template_list if (auditcreeper): template_list = template_list_copy[0] # print("[!] [THE FOLLOWING TEMPLATE(S) IS/ARE RENDERED:]") for index in initialize.element: print("{}".format(node_object[index]['hostname'])) for template in template_list: ### THIS CALLS THE DIRECTORY MODULE WHICH WILL RETURN THE CORRECT DIRECTORY PATH BASED ON DEVICE PLATFORM, OS AND TYPE directory = get_template_directory(node_object[index]['platform'], node_object[index]['opersys'], node_object[index]['type']) env = Environment(loader=FileSystemLoader("{}".format(directory)), lstrip_blocks=True, trim_blocks=True) baseline = env.get_template(template) f = open( "/rendered-configs/{}.{}".format( node_object[index]['hostname'], template.strip('jinja2')) + "conf", "w") config_list = [] config = baseline.render(nodes=node_object[index], with_remediation=with_remediation) f.write(config) f.close print("{}{}".format(directory, template)) if (output): print("{}".format(config)) f = open( "/rendered-configs/{}.{}".format( node_object[index]['hostname'], template.strip('jinja2')) + "conf", "r") init_config = f.readlines() ### THE BELOW PARSE_COMMANDS FUNCTION WILL ONLY GET EXECUTED IF NEEDS TO STORE COMMANDS IN THE GLOBAL VARILABLE INITIALIZE.CONFIGURATION FOR PUSH ### PUSH_CFGS(OUTPUT = TRUE) VS RENDER_CONFIG(OUTPUT = FALSE) FUNCTIONS. if (output != True): parse_commands(node_object[index], init_config) if (auditcreeper): template_list = get_updated_list(template_list_copy) print return None
def render(template_list, node_object, auditcreeper, output, with_remediation): global with_remediate with_remediate = with_remediation template_list_copy = template_list if auditcreeper: template_list = template_list_copy[0] for index in initialize.element: get_hardware_vendor_template_directory = get_template_directory( node_object[index]['hardware_vendor'], node_object[index]['opersys'], node_object[index]['type']) print("{}".format(node_object[index]['name'])) for template in template_list: config = process_jinja2_template(node_object, index, template, with_remediation) print("{}{}".format(get_hardware_vendor_template_directory, template)) if (output): print("{}".format(config)) with open( '{}/rendered-configs/{}.{}'.format( get_home_directory(), node_object[index]['name'], template.replace('jinja2', '')) + 'conf', 'r') as file: init_config = f.readlines() """ The below parse_commands() function will only get executed if it needs to store commands in the global variable initialize.configuration for push. push_cfgs(output = True) vs render_config(output = False) functions. """ if output != True: parse_commands(node_object[index], init_config, set_notation=False) print() if auditcreeper: template_list = get_updated_list(template_list_copy) return None
def process_jinja2_template(node_object, index, template, with_remediation): hardware_vendor_template_directory = get_template_directory( node_object[index]['hardware_vendor'], node_object[index]['opersys'], node_object[index]['type']) standards_directory = get_standards_directory( node_object[index]['name'], node_object[index]['hardware_vendor'], node_object[index]['type']) env = Environment(loader=FileSystemLoader( [hardware_vendor_template_directory, standards_directory]), lstrip_blocks=True, trim_blocks=True) baseline = env.get_template(template) os.makedirs('{}/rendered-configs/'.format(get_home_directory()), exist_ok=True) with open( '{}/rendered-configs/{}.{}'.format( get_home_directory(), node_object[index]['name'], template.replace('jinja2', '')) + 'conf', 'w') as file: config = baseline.render(node=node_object[index], with_remediation=with_remediation) file.write(config) file.close return config
def cisco_audit_diff(node_object, index, template, AUDIT_FILTER_RE, output, remediation): ### INDEX_LIST IS A LIST OF ALL THE POSITIONS COLLECTED FROM INDEX_POSITION VARIABLE index_list = [] ### FILTER_CONFIG IS A LIST OF COLLECTION OF ALL THE AUDIT FILTERS THAT MATCHED THE LINES IN BACKUP_CONFIG. THESE ENTRIES DO NOT CONTAIN DEPTHS/DEEP CONFIGS filtered_config = [] ### FILTERED_BACKUP_CONFIG IS THE FINAL LIST OF ALL THE AUDIT FILTERS THAT MATCHES THE LINES IN BACKUP_CONFIG. THESE ENTRIES INCLUDE DEPTHS/DEEP CONFIGS filtered_backup_config = [] ### THIS SECTION OF CODE WILL OPEN THE RENDERED-CONFIG *.CONF FILE AND STORE IN RENDERED_CONFIG AS A LIST f = open( "/rendered-configs/{}.{}".format(node_object[index]['hostname'], template.split('.')[0]) + ".conf", "r") init_config = f.readlines() # print"INIT_CONFIG: {}".format(init_config) ### RENDERED_CONFIG IS A LIST OF ALL THE CONFIGS THAT WAS RENDERED FROM THE TEMPLATES (SOURCE OF TRUTH) rendered_config = [] for config_line in init_config: strip_config = config_line.strip('\n') ### THIS WILL REMOVE ANY LINES THAT ARE EMPTY OR HAS A '!' MARK if (strip_config == '' or strip_config == "!"): continue else: rendered_config.append(strip_config) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print ("RENDERED CONFIG: {}".format(rendered_config)) ### THIS SECTION OF CODE WILL OPEN BACKUP-CONFIG *.CONF FILE AND STORE IN BACKUP_CONFIG AS A LIST f = open( "/backup-configs/{}".format(node_object[index]['hostname']) + ".conf", "r") init_config = f.readlines() backup_config = [] for config_line in init_config: strip_config = config_line.strip('\n') backup_config.append(strip_config) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print ("BACKUP CONFIG: {}".format(backup_config)) ### THIS WILL OPEN THE JINJA2 TEMPLATE AND PARSE OUT THE AUDIT_FILTER SECTION VIA REGULAR EXPRESSION directory = get_template_directory(node_object[index]['platform'], node_object[index]['opersys'], node_object[index]['type']) f = open("{}".format(directory) + template, "r") parse_audit = f.readline() audit_filter = eval(re.findall(AUDIT_FILTER_RE, parse_audit)[0]) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print ("AUDIT_FILTER: {}".format(audit_filter)) ### FILTER OUT THE BACKUP_CONFIGS WITH THE AUDIT_FILTER ### THIS WILL TAKE EACH ELEMENT FROM THE AUDIT_FILTER LIST AND SEARCH FOR THE MATCHED LINES IN BACKUP_CONFIG ### PARSING THE BACKUP CONFIGS parse_backup_configs = CiscoConfParse( "/backup-configs/{}".format(node_object[index]['hostname']) + ".conf", syntax=get_syntax(node_object, index)) # print "SYNTAX: {}".format(get_syntax(node_object,index)) ### MATCHED ENTRIES ARE THEN APPENDED TO FILTER_BACKUP_CONFIG VARIABLE AS A LIST ### FUNCTION CALL TO PARSE_AUDIT_FILTER() TO FIND ALL THE PARENT/CHILD filtered_backup_config = parse_audit_filter(node_object, index, parse_backup_configs, audit_filter) ### UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print("FILTERED BACKUP CONFIG: {}".format(filtered_backup_config)) ### SYNC_DIFF WILL DIFF OUT THE FILTERED_BACKUP_COFNIG FROM THE RENDERED CONFIG AND STORE WHATEVER COMMANDS THAT ### COMMANDS THAT NEED TO BE ADDED/REMOVE IN PUSH_CONFIGS VARIABLE parse = CiscoConfParse(filtered_backup_config) push_configs = parse.sync_diff(rendered_config, "", ignore_order=True, remove_lines=True, debug=False) if (len(push_configs) == 0): if (output): print("{}{} (none)".format(directory, template)) print('') else: ### THIS WILL JUST PRINT THE HEADING OF THE TEMPLATE NAME SO YOU KNOW WHAT IS BEING CHANGED UNDER WHICH TEMPLATE if (output): print("{}{}".format(directory, template)) for line in push_configs: search = parse_backup_configs.find_objects(r"^{}".format(line)) if ('no' in line): line = re.sub("no", "", line) if (not remediation): print("-{}".format(line)) elif (len(search) == 0): if (not remediation): print("+ {}".format(line)) elif (len(search) > 1): if (not remediation): print("+ {}".format(line)) else: if (not remediation): print(" {}".format(line)) print("") ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print("PUSH_CONFIGS: {}".format(push_configs)) if (remediation): ### THIS STEP WILL APPEND REMEDIATION CONFIGS FROM TEMPLATE (EXPECTED RESULTS) for config in push_configs: node_configs.append(config) ntw_device_pop = False ### INITIALIZE.COFIGURATION APPENDS ALL THE REMEDIATED CONFIGS AND PREPARES IT FOR PUSH if (auditcreeper == False): initialize.configuration.append(node_configs) node_index = node_index + 1
def auditdiff_engine(template_list, node_object, auditcreeper, output, remediation): redirect = [] command = [] ### RENDERED_CONFIG IS TO ACCOMODATE JUNIPER PLATFORM BY APPENDING A 'LOAD REPLACE TERMINAL' TO GET THE DIFF OUTPUT rendered_config = [] rendered_config.append('load replace terminal') edit_list = [] no_diff = 0 ### PUSH_CONFIGS IS A LIST OF THE FINAL CONFIGS TO BE PUSHED # push_configs = [] ### INDEX_POSITION IS THE INDEX OF ALL THE MATCHED FILTER_CONFIG AGAINST THE BACKUP_CONFIGS. THE INDEX IS COMING FROM THE BACKUP_CONFIG index_position = 0 ### NODE_INDEX KEEPS TRACK OF THE INDEX IN INITIALIZE.NTW_DEVICE. IF REMEDIATION IS NOT REQUIRED (CONFIGS MATCHES TEMPLATE), THEN THE NODE IS POPPED OFF ### INITIALIZE.NTW_DEVICE AND NOTHING IS CHANGED ON THAT DEVICE node_index = 0 ### AUDIT_FILTER_RE IS THE REGULAR EXPRESSION TO FILTER OUT THE AUDIT FILTER IN EVERY TEMPLATE AUDIT_FILTER_RE = r"\[.*\]" ### TEMPLATE_LIST_COPY TAKE A COPY OF THE CURRENT TEMPLATE_LIST template_list_original = template_list[:] template_list_copy = template_list if (auditcreeper): template_list = template_list_copy[0] # print "TEMPLATE_LIST: {}".format(template_list) ### THIS SECTION OF CODE WILL GATHER ALL RENDERED CONFIGS FIRST AS IT'S REQUIRED FOR ALL PLATFORMS (CISCO & JUNIPER) ### JUNIPER DOES NOT REQUIRE BACKUP-CONFIGS IN ORDER TO BE DIFFED SO INSTEAD IT WILL JUST PUSH (PUSH_CFGS) THE TEMPLATE AND PERFORM THE DIFF ON THE DEVICE ITSELF. ### CISCO WILL REQUIRE BACKUP-CONFIGS (GET_CONFIG) for index in initialize.element: if (node_object[index]['platform'] == 'juniper'): ### THIS WILL RETURN A SORTED JUNIPER TEMPLATE LIST BASED ON JUNIPER'S 'SHOW CONFIGURATION' OUTPUT template_list = get_sorted_juniper_template_list(template_list) # print("TEMPLATE_LIST FIRST PHASE: {}".format(template_list)) for template in template_list: ### THIS SECTION OF CODE WILL PROCESS THE TEMPLATE AND OUTPUT TO A *.CONF FILE directory = get_template_directory(node_object[index]['platform'], node_object[index]['opersys'], node_object[index]['type']) env = Environment(loader=FileSystemLoader("{}".format(directory))) baseline = env.get_template(template) f = open( "/rendered-configs/{}.{}".format( node_object[index]['hostname'], template.split('.')[0]) + ".conf", "w") ### GENERATING TEMPLATE BASED ON NODE OBJECT config = baseline.render(nodes=node_object[index]) f.write(config) f.close if (node_object[index]['platform'] == 'cisco'): ### THIS SECTION OF CODE WILL OPEN THE RENDERED-CONFIG *.CONF FILE AND STORE IN RENDERED_CONFIG AS A LIST f = open( "/rendered-configs/{}.{}".format( node_object[index]['hostname'], template.split('.')[0]) + ".conf", "r") init_config = f.readlines() ### RENDERED_CONFIG IS A LIST OF ALL THE CONFIGS THAT WAS RENDERED FROM THE TEMPLATES (SOURCE OF TRUTH) if (node_object[index]['platform'] == 'juniper'): ### THIS SECTION OF CODE WILL OPEN THE RENDERED-CONFIG *.CONF FILE AND STORE IN RENDERED_CONFIG AS A LIST f = open( "/rendered-configs/{}.{}".format( node_object[index]['hostname'], template.split('.')[0]) + ".conf", "r") init_config = f.readlines() ### RENDERED_CONFIG IS A LIST OF ALL THE CONFIGS THAT WAS RENDERED FROM THE TEMPLATES (SOURCE OF TRUTH) for config_line in init_config: strip_config = config_line.strip('\n') ### THIS WILL REMOVE ANY LINES THAT ARE EMPTY OR HAS A '!' MARK if (strip_config == '' or strip_config == "!"): continue else: rendered_config.append(strip_config) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print ("RENDERED CONFIG: {}".format(rendered_config)) template_list = get_updated_list(template_list_copy) if (node_object[index]['platform'] == 'cisco'): redirect.append('get_config') command.append(['']) ### JUNIPER DEVICES WILL RECEIVE A DIFFERENT REDIRECT THAN CISCO PLATFORM ### THREE ADDITIONAL COMMANDS ARE APPENEDED AT THE END, ^D, SHOW | COMPARE AND ROLLBACK 0 ### ALL TEMPLATES MATCHING ARE EXECUTED AT ONCE PER DEVICE elif (node_object[index]['platform'] == 'juniper'): redirect.append('get_diff') rendered_config.append('\x04') rendered_config.append('show | compare') rendered_config.append('rollback 0') command.append(rendered_config) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print"REDIRECT: {}".format(redirect) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print"COMMAND: {}".format(command) # print("[+] [COMPUTING DIFF. STANDBY...]") multithread_engine(initialize.ntw_device, redirect, command) ### RESETING TEMPLATE_LIST TO ORIGINAL LIST ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print("ORIGINAL_LIST: {}".format(template_list_original)) template_list = template_list_original ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print("TEMPLATE_LIST: {}".format(template_list)) ### REINITIALIZING TEMPLATE_LIST TO THE ORIGINAL LIST OF TEMPLATES if (auditcreeper): template_list = template_list_original[0] ### THIS FOR LOOP WILL LOOP THROUGH ALL THE MATCHED ELEMENTS FROM THE USER SEARCH AND AUDIT ON SPECIFIC TEMPLATE OR IF NO ARGUMENT IS GIVEN, ALL TEMPLATES for index in initialize.element: ### NODE_CONFIG IS THE FINALIZED CONFIG TO PUSH TO THE NODE FOR REMEDIATION node_configs = [] ntw_device_pop = True ### TEMPLATE_NAME IS SET TO TRUE IN ORDER TO PRINT OUT THE TEMPLATE HEADING WHEN RECURSING template_name = True if (not remediation): print("Only in the device: -") print("Only in the generated config: +") print("{}".format(node_object[index]['hostname'])) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES template_list_juniper = template_list[:] if (node_object[index]['platform'] == 'juniper'): ### THIS WILL RETURN A SORTED JUNIPER TEMPLATE LIST BASED ON JUNIPER'S 'SHOW CONFIGURATION' OUTPUT template_list = get_sorted_juniper_template_list(template_list) ### THIS WILL LOOP THROUGH ALL THE TEMPLATES SPECIFIED FOR THE PARTICULAR HOST IN NODES.YAML for template in template_list: ### THIS SECTION IS FOR CISCO SYSTEMS PLATFORM ### if (node_object[index]['platform'] == 'cisco'): cisco_audit_diff(node_object, index, template, AUDIT_FILTER_RE, output, remediation) ### THIS SECTION IS FOR JUNIPER NETWORKS PLATFORM ### if (node_object[index]['platform'] == 'juniper'): directory = get_template_directory( node_object[index]['platform'], node_object[index]['opersys'], node_object[index]['type']) ### THIS SECTION OF CODE WILL OPEN DIFF-CONFIG *.CONF FILE AND STORE IN DIFF_CONFIG AS A LIST f = open( "/diff-configs/{}".format(node_object[index]['hostname']) + ".conf", "r") init_config = f.readlines() ### DIFF_CONFIG ARE THE DIFFERENTIAL CONFIGS GENERATED BY THE /DIFF-CONFIGS/*.CONF FILE diff_config = [] for config_line in init_config: strip_config = config_line.strip('\n') diff_config.append(strip_config) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print ("DIFF CONFIG: {}".format(diff_config)) RE = re.compile(r'\[edit\s({})'.format(template.split('.')[0])) search = list(filter(RE.match, diff_config)) if (len(search) == 0): print("{}{} (none)".format(directory, template)) print('') no_diff = no_diff + 1 if (no_diff == len(template_list)): break if (len(template_list) > 1): juniper_audit_diff(directory, template, template_list, diff_config, edit_list, search) else: continue else: ### THIS FIRST SECTION WILL FIND ALL THE INDEXES WITH THE '[edit <TEMPLATE>]' AND APPEND IT TO THE EDIT_LIST ### EDIT_LIST MAINTAINS A LIST OF ALL THE INDEXES THAT PERTAIN TO THE TEMPLATES for line in diff_config: if (re.search( '\[edit\s{}'.format(template.split('.')[0]), line)): element = diff_config.index(line) edit_list.append(element) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print('ELEMENT: {}'.format(element)) # print("{}".format(line)) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print('EDIT_LIST 1st: {}'.format(edit_list)) # print("index_of_template_list: {}".format(index_of_template_list)) # print("length_template_list: {}".format(length_template_list)) juniper_audit_diff(directory, template, template_list, diff_config, edit_list, search) # print("end_of_template_list: {}".format(end_of_template_list)) ### UPON THE LAST TEMPLATE, IT WILL THEN FIND THE CLOSING CURLY BRACES INDEX NUMBER TO APPEND TO THE EDIT_LIST if (auditcreeper): initialize.configuration.append(node_configs) if (ntw_device_pop == True): initialize.ntw_device.pop(node_index) initialize.configuration.pop(node_index) template_list = get_updated_list(template_list_original) # if(remediation): # print("[+]: PUSH ENABLED") # print("[!]: PUSH DISABLED") return None
def generic_audit_diff(node_object, index, template, template_list, AUDIT_FILTER_RE, output, with_remediation): for template in template_list: filtered_backup_config = [] rendered_config = [] backup_config = [] commands = [] """ :param filtered_backup_config: Audit filters that matches the lines in backup_config. Entries include depths/deep configs. :type filtered_backup_config: list :param rendered_config: Rendered configs from the templates. :type rendered_config: list :param backup_config: Backup configs from the 'show run', 'list ltm' etc... :type backup_config: list :param commands: ... Configurations generated from the diff'ed output. :type commands: list """ f = open( "{}/rendered-configs/{}.{}".format( home_directory, node_object[index]['name'], template.split('.')[0]) + ".conf", "r") init_config = f.readlines() for config_line in init_config: strip_config = config_line.strip('\n') if (strip_config == '' or strip_config == "!"): continue else: rendered_config.append(strip_config) f = open( "{}/backup-configs/{}".format( home_directory, node_object[index]['name']) + ".conf", "r") init_config = f.readlines() for config_line in init_config: strip_config = config_line.strip('\n') backup_config.append(strip_config) directory = get_template_directory( node_object[index]['hardware_vendor'], node_object[index]['opersys'], node_object[index]['type']) f = open("{}".format(directory) + template, "r") parse_audit = f.readline() """ This will take each element from the audit_filter list and search for the matched lines in backup_config. """ audit_filter = eval(re.findall(AUDIT_FILTER_RE, parse_audit)[0]) parse_backup_configs = CiscoConfParse("{}/backup-configs/{}".format( home_directory, node_object[index]['name']) + ".conf", syntax=get_syntax( node_object, index)) """ Matched entries are then appended to the filter_backup_config variable. parse_audit_filter() call will find all parent/child. """ filtered_backup_config = parse_audit_filter(node_object, index, parse_backup_configs, audit_filter) """ sync_diff() will diff out the filtered_backup_config from the rendered_configs and store whatever commands that has deltas. """ parse = CiscoConfParse(filtered_backup_config) push_configs = parse.sync_diff(rendered_config, "", ignore_order=True, remove_lines=True, debug=False) """ If there are no diffs and only and audit diff is executed, (none) will be printed to show users the result. However, if there are no diffs but a push cfgs if executed resulting in output set as false, an empty list is appended. """ if (len(push_configs) == 0): if output: print("{}{} (none)".format(directory, template)) print('') else: initialize.configuration.append([]) print('There are no diffs to be pushed for template {} on {}'. format(template, node_object[index]['name'])) if len(initialize.element) == 0: break else: """ If an audit diff is executed, the diff is outputed to user. If a push cfgs is executed against Cisco like platforms, the commands from the diff are executed with the negation (no). This is to maintain the sequence of the the commands in order to match the jinja2 templates. What you see on the template is what the users want exactly as the running-configurations. The with_remediation flag is no longer required on the template itself as it may cause disruptions to services. For example, blowing out an entire logging configs (no logging) and readding all the logging host back on. """ if output: print("{}{}".format(directory, template)) for line in push_configs: search = parse_backup_configs.find_objects( r"^{}".format(line)) if re.search(r'^no', line) or re.search(r'\sno', line): line = re.sub("no", "", line) print("-{}".format(line)) elif (len(search) == 0): print("+ {}".format(line)) elif (len(search) > 1): print("+ {}".format(line)) else: print(" {}".format(line)) else: for line in push_configs: commands.append(line) initialize.configuration.append(commands) print("") # if(with_remediation): # for config in push_configs: # node_configs.append(config) # ntw_device_pop = False # if(auditcreeper == False): # initialize.configuration.append(node_configs) # node_index = node_index + 1 return None
def mediator(template_list,node_object,auditcreeper,output,with_remediation): redirect = [] command = [] template_counter = 0 node_index = 0 AUDIT_FILTER_RE = r'\[.*\]' template_list_original = template_list[:] template_list_copy = template_list authentication = True """ :param redirect: A list of which method superloop will access. This variable is sent to the multithread_engine. Each element is a redirect per node. :type alt_key_file: list :param command: A list within a list where each element represents per node of commands to execute. :type command: list :param template_counter: Used to keep track of the number of templates it cycles through for Juniper. :type template_counter: int :param node_index: Keeps track of the index in initialize.ntw_device. If remediation is not required (configs matches template), then the node is popped of initialize.ntw_device and nothing is changed on that device. :type node_index: int :param AUDIT_FILTER_RE: Regular expression to filter out the audit filter in every template. :type AUDIT_FILTER_RE: str :param template_list_original: Take a duplicate copy of template_list :type template_list_original: list :param template_list_copy: Memory reference to template_list :type template_list_copy: list """ """ The mediator is broken up into two sections. The first section of code will gather all rendered configs first as it's required for all hardware vendors (Cisco, Juniper & F5). Juniper does not require backup-configs in order to be diff'ed. The diff is server (node) side processed and the results are returned back to superloop. Cisco hardware_vendors will require backup-configs (get_config) where the diffs are processed locally. """ if auditcreeper: template_list = template_list_copy[0] for index in initialize.element: rendered_config = [] if node_object[index]['hardware_vendor'] == 'juniper': """ Juniper's diff output are always in a certain stanza order. The template_list ordered processed may very well not be in the same order as Juniper's. In order to keep it consistent, we must call the function get_sorted_juniper_template() and it will return a sorted Juniper's stanza list. """ template_list = get_sorted_juniper_template_list(template_list) rendered_config.append('load replace terminal') for template in template_list: process_jinja2_template(node_object,index,template,with_remediation) """ Compiling the rendered configs from template and preparing for pushing to node. """ if node_object[index]['hardware_vendor'] == 'juniper': template_counter = template_counter + 1 with open('{}/rendered-configs/{}.{}'.format(get_home_directory(),node_object[index]['name'],template.split('.')[0]) + '.conf','r') as file: init_config = file.readlines() for config_line in init_config: strip_config = config_line.strip('\n') if(strip_config == '' or strip_config == "!"): continue else: rendered_config.append(strip_config) """ This below statement will check to see if it's the last template for the node. It will then append 3 commands to the list. """ if template_counter == len(template_list): rendered_config.append('\x04') rendered_config.append('show | compare') rendered_config.append('rollback 0') """ Uncomment the below print statement for debugging purposes """ #print("RENDERED CONFIG: {}".format(rendered_config)) """ The below statement will only execute if user is auditing against multiple templates. If only one template is being audited, do no pop off element. """ if len(template_list) != 1: template_list = get_updated_list(template_list_copy) if node_object[index]['hardware_vendor'] == 'cisco' or node_object[index]['hardware_vendor'] == 'f5': redirect.append('get_config') command.append(['']) """ Juniper devices will receive a different redirect than Cisco. Three additional commands are appeneded at the end, ^d, show | compare and rollback 0. All templates matching are executed at once per device """ elif node_object[index]['hardware_vendor'] == 'juniper': redirect.append('get_diff') command.append(rendered_config) template_counter = 0 """ Uncomment the below print statement for debugging purposes """ #print('REDIRECT: {}'.format(redirect)) #print('TEMPLATE_LIST: {}'.format(template_list)) #print('COMMAND: {}'.format(command)) multithread_engine(initialize.ntw_device,redirect,command,authentication) template_list = template_list_original if(auditcreeper): template_list = template_list_original[0] for index in initialize.element: edit_list = [] node_configs = [] diff_config = [] ntw_device_pop = True """ :param edit_list: Anchor points for Juniper audits based on the edit stanza. :type edit_list: list :param node_configs: Finalized configs used to push to device :type node_configs: list :param diff_config: Differential configs generated by the ~/diff-configs/*.conf file :type diff_config: list :param ntw_device_pop: Pop off each node once audit is complete. :type ntw_device_pop: bool """ if not with_remediation: print("Only in the device: -") print("Only in the generated config: +") print ("{}".format(node_object[index]['name'])) if node_object[index]['hardware_vendor'] == 'cisco' or node_object[index]['hardware_vendor'] == 'f5': generic_audit_diff(node_object,index,template,template_list,AUDIT_FILTER_RE,output,with_remediation) elif node_object[index]['hardware_vendor'] == 'juniper': template_list = get_sorted_juniper_template_list(template_list) directory = get_template_directory(node_object[index]['hardware_vendor'],node_object[index]['opersys'],node_object[index]['type']) with open('{}/diff-configs/{}'.format(get_home_directory(),node_object[index]['name']) + '.conf','r') as file: init_config = file.readlines() for config_line in init_config: strip_config = config_line.strip('\n') diff_config.append(strip_config) for output in diff_config: if 'errors' in output: error = True break else: error = False if error: print('+ Please check error(s) in template(s)') break else: juniper_mediator(node_object,template_list,diff_config,edit_list,index) juniper_audit_diff(directory,template_list,diff_config,edit_list) if auditcreeper: initialize.configuration.append(node_configs) if ntw_device_pop == True: initialize.ntw_device.pop(node_index) initialize.configuration.pop(node_index) template_list = get_updated_list(template_list_original) return None