def parse_firewall_acl(node_policy, policy): """ This function will generate firewall acls based on the hardware_vendor and os. """ config_list = [] PATH_FILTER_RE = r"\'.+\'" """ :param config_list: ACL configurations storage. :type config_list: list :param PATH_FILTER_RE: Path to network objects file. Example: NETWORKS.net :type PATH_FILTER_RE: str """ """ Open the JSON policy file and parse out the audit_filter section via regular expression. """ directory = get_policy_directory(node_policy['hardware_vendor'], node_policy['opersys'], node_policy['type']) acl_list = process_json(node_policy['hardware_vendor'], node_policy['opersys'], node_policy['type'], policy) with open('{}'.format(directory) + policy, 'r') as file: # f = open("{}".format(directory) + policy, "r") parse_include = file.readline() path = eval(re.findall(PATH_FILTER_RE, parse_include)[0]) """ Uncomment the below print statement for debugging purposes """ #print("PATH_FILTER: {}".format(path)) """ Uncomment the below print statement for debugging purposes """ #print("ACL_LIST inside parse_firewall_acl: {}".format(acl_list)) for acl in acl_list: term = acl['term'] source_address = acl['source'] destination_address = acl['destination'] protocol = acl['protocol'] destination_port = acl['destination-port'] action = acl['action'] source_object_group = object_group(path, source_address) destination_object_group = object_group(path, destination_address) if node_policy['hardware_vendor'] == 'cisco' or node_policy[ 'hardware_vendor'] == 'juniper': print("{} {} {} {} {} {}".format(term, source_address, destination_address, protocol, destination_port, action)) config_list = "{} {} {} {} {} {}".format(term, source_address, destination_address, protocol, destination_port, action) print return config_list
def search_policy(policy_list, match_node, node_policy, node_object, auditcreeper): search_result = [] index = 0 policy_index = 0 element = 0 for node in match_node: for node_obj in node_object: if (node == node_obj['hostname']): ### THIS SECTION WILL PULL OUT ALL THE TEMPLATES BELONGING TO THE SPECIFIC PLATFORM, OS AND TYPE OF DEVICE FROM THE TEMPLATE DATABASE for node_pol in node_policy: if (node == node_pol['hostname']): ### INDEX GETS THE POSITION IN THE LIST AND APPENDS IT TO THE GLOBAL VARIABLE ELEMENT index = node_object.index(node_obj) initialize.element.append(index) policy_index = node_policy.index(node_pol) initialize.element_policy.append(policy_index) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print("INDEX: {}".format(initialize.element)) # print("POLICY_INDEX: {}".format(initialize.element_policy)) if (auditcreeper): policy_node_list = [] for policy_dir_name in node_pol['policy']: policy_name = policy_dir_name.split('/')[-1] policy_node_list.append(policy_name) policy_list.append(policy_node_list) search_result.append("MATCH") else: ### THIS CALLS THE DIRECTORY MODULE WHICH WILL RETURN THE CORRECT DIRECTORY PATH BASED ON DEVICE PLATFORM, OS AND TYPE directory = get_policy_directory( node_pol['platform'], node_obj['os'], node_obj['type']) file = directory + policy_list[element] if (file in node_pol['policy']): ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print("NODE: {} NODE_POL['HOSTNAME']: {}".format(node,node_pol['hostname'])) search_result.append("MATCH") else: print("[!] [NO ASSOCIATING POLICY {}".format( policy_list[element]) + " FOR NODE {}]".format(node)) search_result.append("NO MATCH") else: continue else: continue # print("POLICY_LIST IN SEARCH.PY: {}".format(policy_list)) return search_result
def search_policy(policy_list, match_node, node_policy, node_object, auditcreeper): """ This function will take the search results from the list of nodes and run it against node_object to determine the hardware vendor, operating system and type and compare with the node_policy database to match. If a node is not deemed as a firewall, it will not allow a policy push. """ element = 0 index = 0 policy_index = 0 search_result = [] for node in match_node: for node_obj in node_object: if node == node_obj['name']: """ This section will pull out all the templates belonging to the specific hardware vendor, operating system and type from the template database. """ for node_pol in node_policy: if node == node_pol['name']: index = node_object.index(node_obj) initialize.element.append(index) policy_index = node_policy.index(node_pol) initialize.element_policy.append(policy_index) if auditcreeper: policy_node_list = [] for policy_dir_name in node_pol['policy']: policy_name = policy_dir_name.split('/')[-1] policy_node_list.append(policy_name) policy_list.append(policy_node_list) search_result.append("MATCH") else: directory = get_policy_directory( node_pol['hardware_vendor'], node_obj['opersys'], node_obj['type']) file = directory + policy_list[element] if file in node_pol['policy']: search_result.append("MATCH") else: print('+ No associating policy {}'.format( policy_list[element]) + ' for node {}]'.format(node)) search_result.append('NO MATCH') else: continue else: continue return search_result
def parse_firewall_acl(node_policy, policy): config_list = [] PATH_FILTER_RE = r"\'.+\'" ### THIS WILL OPEN THE JSON POLICY AND PARSE OUT THE AUDIT_FILTER SECTION VIA REGULAR EXPRESSION # print("{} {} {}".format(node_policy['platform'],node_policy['opersys'],node_policy['type'])) directory = get_policy_directory(node_policy['platform'], node_policy['opersys'], node_policy['type']) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print("NODE_POLICY: {}".format(node_policy)) # print("NODE: {}".format(policy)) acl_list = process_json(node_policy['platform'], node_policy['opersys'], node_policy['type'], policy) f = open("{}".format(directory) + policy, "r") parse_include = f.readline() path = eval(re.findall(PATH_FILTER_RE, parse_include)[0]) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES print("PATH_FILTER: {}".format(path)) ###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES # print("ACL_LIST inside parse_firewall_acl: {}".format(acl_list)) for acl in acl_list: term = acl['term'] source_address = acl['source'] destination_address = acl['destination'] protocol = acl['protocol'] destination_port = acl['destination-port'] action = acl['action'] source_object_group = object_group(path, source_address) destination_object_group = object_group(path, destination_address) if (node_policy['platform'] == 'cisco' or node_policy['platform'] == 'juniper'): print("{} {} {} {} {} {}".format(term, source_address, destination_address, protocol, destination_port, action)) config_list = "{} {} {} {} {} {}".format(term, source_address, destination_address, protocol, destination_port, action) print return config_list