def parse_firewall_acl(node_policy, policy):
"""
This function will generate firewall acls based on the hardware_vendor and os.
"""
config_list = []
PATH_FILTER_RE = r"\'.+\'"
"""
:param config_list: ACL configurations storage.
:type config_list: list
:param PATH_FILTER_RE: Path to network objects file. Example: NETWORKS.net
:type PATH_FILTER_RE: str
"""
"""
Open the JSON policy file and parse out the audit_filter section via
regular expression.
"""
directory = get_policy_directory(node_policy['hardware_vendor'],
node_policy['opersys'],
node_policy['type'])
acl_list = process_json(node_policy['hardware_vendor'],
node_policy['opersys'], node_policy['type'],
policy)
with open('{}'.format(directory) + policy, 'r') as file:
# f = open("{}".format(directory) + policy, "r")
parse_include = file.readline()
path = eval(re.findall(PATH_FILTER_RE, parse_include)[0])
"""
Uncomment the below print statement for debugging purposes
"""
#print("PATH_FILTER: {}".format(path))
"""
Uncomment the below print statement for debugging purposes
"""
#print("ACL_LIST inside parse_firewall_acl: {}".format(acl_list))
for acl in acl_list:
term = acl['term']
source_address = acl['source']
destination_address = acl['destination']
protocol = acl['protocol']
destination_port = acl['destination-port']
action = acl['action']
source_object_group = object_group(path, source_address)
destination_object_group = object_group(path, destination_address)
if node_policy['hardware_vendor'] == 'cisco' or node_policy[
'hardware_vendor'] == 'juniper':
print("{} {} {} {} {} {}".format(term, source_address,
destination_address, protocol,
destination_port, action))
config_list = "{} {} {} {} {} {}".format(term, source_address,
destination_address,
protocol,
destination_port, action)
print
return config_list
def search_policy(policy_list, match_node, node_policy, node_object,
auditcreeper):
search_result = []
index = 0
policy_index = 0
element = 0
for node in match_node:
for node_obj in node_object:
if (node == node_obj['hostname']):
### THIS SECTION WILL PULL OUT ALL THE TEMPLATES BELONGING TO THE SPECIFIC PLATFORM, OS AND TYPE OF DEVICE FROM THE TEMPLATE DATABASE
for node_pol in node_policy:
if (node == node_pol['hostname']):
### INDEX GETS THE POSITION IN THE LIST AND APPENDS IT TO THE GLOBAL VARIABLE ELEMENT
index = node_object.index(node_obj)
initialize.element.append(index)
policy_index = node_policy.index(node_pol)
initialize.element_policy.append(policy_index)
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print("INDEX: {}".format(initialize.element))
# print("POLICY_INDEX: {}".format(initialize.element_policy))
if (auditcreeper):
policy_node_list = []
for policy_dir_name in node_pol['policy']:
policy_name = policy_dir_name.split('/')[-1]
policy_node_list.append(policy_name)
policy_list.append(policy_node_list)
search_result.append("MATCH")
else:
### THIS CALLS THE DIRECTORY MODULE WHICH WILL RETURN THE CORRECT DIRECTORY PATH BASED ON DEVICE PLATFORM, OS AND TYPE
directory = get_policy_directory(
node_pol['platform'], node_obj['os'],
node_obj['type'])
file = directory + policy_list[element]
if (file in node_pol['policy']):
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print("NODE: {} NODE_POL['HOSTNAME']: {}".format(node,node_pol['hostname']))
search_result.append("MATCH")
else:
print("[!] [NO ASSOCIATING POLICY {}".format(
policy_list[element]) +
" FOR NODE {}]".format(node))
search_result.append("NO MATCH")
else:
continue
else:
continue
# print("POLICY_LIST IN SEARCH.PY: {}".format(policy_list))
return search_result
def search_policy(policy_list, match_node, node_policy, node_object,
auditcreeper):
"""
This function will take the search results from the list of nodes
and run it against node_object to determine the hardware vendor, operating system and type
and compare with the node_policy database to match. If a node is not
deemed as a firewall, it will not allow a policy push.
"""
element = 0
index = 0
policy_index = 0
search_result = []
for node in match_node:
for node_obj in node_object:
if node == node_obj['name']:
"""
This section will pull out all the templates belonging to the specific
hardware vendor, operating system and type from the template database.
"""
for node_pol in node_policy:
if node == node_pol['name']:
index = node_object.index(node_obj)
initialize.element.append(index)
policy_index = node_policy.index(node_pol)
initialize.element_policy.append(policy_index)
if auditcreeper:
policy_node_list = []
for policy_dir_name in node_pol['policy']:
policy_name = policy_dir_name.split('/')[-1]
policy_node_list.append(policy_name)
policy_list.append(policy_node_list)
search_result.append("MATCH")
else:
directory = get_policy_directory(
node_pol['hardware_vendor'],
node_obj['opersys'], node_obj['type'])
file = directory + policy_list[element]
if file in node_pol['policy']:
search_result.append("MATCH")
else:
print('+ No associating policy {}'.format(
policy_list[element]) +
' for node {}]'.format(node))
search_result.append('NO MATCH')
else:
continue
else:
continue
return search_result
def parse_firewall_acl(node_policy, policy):
config_list = []
PATH_FILTER_RE = r"\'.+\'"
### THIS WILL OPEN THE JSON POLICY AND PARSE OUT THE AUDIT_FILTER SECTION VIA REGULAR EXPRESSION
# print("{} {} {}".format(node_policy['platform'],node_policy['opersys'],node_policy['type']))
directory = get_policy_directory(node_policy['platform'],
node_policy['opersys'],
node_policy['type'])
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print("NODE_POLICY: {}".format(node_policy))
# print("NODE: {}".format(policy))
acl_list = process_json(node_policy['platform'], node_policy['opersys'],
node_policy['type'], policy)
f = open("{}".format(directory) + policy, "r")
parse_include = f.readline()
path = eval(re.findall(PATH_FILTER_RE, parse_include)[0])
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
print("PATH_FILTER: {}".format(path))
###UN-COMMENT THE BELOW PRINT STATEMENT FOR DEBUGING PURPOSES
# print("ACL_LIST inside parse_firewall_acl: {}".format(acl_list))
for acl in acl_list:
term = acl['term']
source_address = acl['source']
destination_address = acl['destination']
protocol = acl['protocol']
destination_port = acl['destination-port']
action = acl['action']
source_object_group = object_group(path, source_address)
destination_object_group = object_group(path, destination_address)
if (node_policy['platform'] == 'cisco'
or node_policy['platform'] == 'juniper'):
print("{} {} {} {} {} {}".format(term, source_address,
destination_address, protocol,
destination_port, action))
config_list = "{} {} {} {} {} {}".format(term, source_address,
destination_address,
protocol,
destination_port, action)
print
return config_list