...
Code Block |
---|
# show full-configuration | grep pre-login set pre-login-banner enable |
b) Create te the command on opCharts.
On opCharts GUI navigate to System > Manage Command Sets
...
Now we have the value that we are looking for
Step 2. Create the Parser
opConfig's configuration parsers are more than just parsers and we might have called them "knowledge extractors" instead. The purpose of such a config parser is to consume a particular type of command output and transform (relevant parts of) it into a tree structure.
Parsers are installed in the directory /usr/local/omk/conf/config_parsers.
Code Block |
---|
# cd /usr/local/omk/conf/config_parsers # ll -rw-rw-r--. 1 root root 3052 Sep 24 2021 cisco-config.pm -rw-rw-r--. 1 root root 927 Sep 19 19:28 cisco-interface.pm -rw-rw-r--. 1 root root 594 Sep 24 2021 cisco-version.pm -rw-rw-r--. 1 root root 272 Sep 24 2021 jsonpassthrough.pm -rw-rw-r--. 1 root root 450 Sep 24 2021 meminfo.pm -rw-rw-r--. 1 root root 2087 Apr 29 2021 README |
All config parsers must be valid Perl scripts, and we made this choice for efficiency reasons: a language flexible enough to parse and extract information from arbitrary configuration or status command outputs would have been almost as complicated as perl but much less robust. In addition to that you will likely change your policy rules much more often than any of the parsers.
For more information about the parsers please check the following link OpConfig and Compliance Management
Now we have to create the parser for the "show full-configuration" command. We can copy the cisco-interface.pm parser to create fortigate-config.pm parser.
Code Block |
---|
# cp cisco-interface.pm fortigate-config.pm |
Edit the fortigate-config.pm parser in order to find if the pre-login banner is enable or disable.
Code Block |
---|
# vi fortigate-config.pm |
...
Code Block |
---|
# this is a Fortigate "show full-configuration" parser for opconfig, which amends the config_features->config section our $VERSION = "1.0.0"; my (%config); for my $line (split(/\r?\n/,$input)) { if ($line =~ /.*set pre-login-banner (.+)/) { $config{disclaimer} = $1; } } return { config_features => { config => \%config } }; |
The $input variable contains all the output from "show full-configuration" command.
We can check if the syntaxis is ok using this:
Code Block |
---|
# perl -c fortigate-config.pm fortigate-config.pm syntax OK |
Step 3. Parser activation
To activate a particular config parser, you have to add an entry for it to /usr/local/omk/conf/opCommon.json in the opconfig_parsers
section. The entry must consist of a regular expression (which identifies which commands this parser handles), and of a path pointing to the parser file.
Code Block |
---|
# vi opCommon.json |
...
Code Block |
---|
"opconfig" : { "opconfig_parsers" : [ [ "^audit$", "config_parsers/jsonpassthrough.pm" ], [ "^show full-configuration$", "config_parsers/fortigate-config.pm" ], [ "^show version$", "config_parsers/cisco-version.pm" ] ], |
Note that all matching parsers will be applied for a particular command, in the order they are given in the configuration.
Step 4. Verify Parser extraction
The result of the parsing/extraction of all of opConfig's input material is what we call the "Node Configuration Status Document": a tree-structured concise expression of properties.
To verify that your parsers have correctly extracted the expected properties, you can export the newest version of the config status document:
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=export_config_status node=Node-Name debug=true |
In our case
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=export_config_status node=FortigateTest debug=true |
Command output
Code Block |
---|
opconfig-cli.pl Version 3.381.0 Copyright (C) 2015 Opmantek Limited (www.opmantek.com) This program comes with ABSOLUTELY NO WARRANTY; See www.opmantek.com or email contact@opmantek.com opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023 [2022-10-13 20:10:08.86998] [119957] [debug] new opConfig: require_db [2022-10-13 20:10:09.01269] [119957] [debug] Creating NMISx { "config_features" : { "config" : { "disclaimer" : "enable", }, } |
...
Normally opConfig updates the config status document only if are new command outputs available for a particular node; parser modifications are not taken into account!
While you are fine-tuning your parser behaviours, you will therefore likely want to force opConfig to reparse and re-extract the command outputs, which is of course possible:
...
Code Block |
---|
opconfig-cli.pl Version 3.381.0 Copyright (C) 2015 Opmantek Limited (www.opmantek.com) This program comes with ABSOLUTELY NO WARRANTY; See www.opmantek.com or email contact@opmantek.com opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023 [2022-10-13 20:16:51.60796] [120403] [debug] new opConfig: require_db [2022-10-13 20:16:51.74150] [120403] [debug] Creating NMISx [2022-10-13 20:16:51.99493] [120403] [debug] getting newest config status for node FortigateTest [2022-10-13 20:16:52.00003] [120403] [debug] Node status for FortigateTest needs updating [2022-10-13 20:16:52.01312] [120403] [debug] found no config parser for command "diagnose ip address list" on node FortigateTest [2022-10-13 20:16:52.01330] [120403] [debug] found no config parser for command "execute time" on node FortigateTest [2022-10-13 20:16:52.01341] [120403] [debug] found no config parser for command "get system performance status" on node FortigateTest [2022-10-13 20:16:52.02306] [120403] [debug] getting newest command output for show full-configuration [2022-10-13 20:16:52.03269] [120403] [debug] newest command output for show full-configuration is in [2022-10-13 20:16:52.03566] [120403] [debug] processing command show full-configuration, node FortigateTest, revision 8, input length 1013715, structured no [2022-10-13 20:16:52.03585] [120403] [debug] running parser /usr/local/omk/conf/config_parsers/fortigate-config.pm for node FortigateTest and command "show full-configuration" [2022-10-13 20:16:52.08347] [120403] [debug] parser finished, merging results [2022-10-13 20:16:52.08441] [120403] [debug] found no config parser for command "traceroute" on node FortigateTest |
Step 5. Create the Compliance Policy
Compliance policy language is very similar to opEvents language.
Here is a quick overview of the structural rules:
- A policy consists of one hash (or "associative array"). All hash keys (=rule numbers) must be numeric, and the keys control the order of rule evaluation.
Rule numbers do not have to be globally unique, just within the enclosing subpolicy. - Each hash element must describe either one IF/THEN clause or one EACH/BLOCK iteration.
- THEN statements can be either a single string (describing the actions to take) or a nested sub-policy (in the form of a nested hash).
- EACH/BLOCK iterations always require a nested sub-policy.
- IF statements are single strings, made up from structure or variable selector expressions and Perl operators and expressions.
- The available actions for THEN statements are
ok()
,exception()
,CONTINUE()
andLAST()
. - EACH statements consist of a variable name (for the iterator variable to be) and a structure selector expression (for the objects to iterate over).
- The policy engine invokes policy rules with a number of pre-defined structure variables, to provide access to the configuration status document, the current node name and a few others.
For more information about the compliance policy please check the following link OpConfig and Compliance Management
We have to create a compliance policy, navigate to /usr/local/omk/conf/compliance_policies.
Code Block |
---|
# cd /usr/local/omk/conf/compliance_policies # ll -rw-rw-r--. 1 root root 7473 Nov 17 2021 cisco_nsa.json |
We can copy the cisco_nsa.json policy to create banner.json policy.
Code Block |
---|
# cp cisco_nsa.json banner.json |
Edit the banner.json policy.
Code Block |
---|
# vi banner.json |
...
Code Block |
---|
{ "10" : { "IF" : "not defined(${NODEINFO}.os_info)", "THEN" : "exception(\"Node has no os_info\",0,node=$NODENAME) AND LAST()" }, "20" : { "IF" : "$NODEINFO.os_info.os eq \"Fortinet\"", "THEN" : { "201" : { "IF" : "$NODE.config_features.config.disclaimer eq \"disable\"", "THEN" : "exception(\"Banner is not enable\",3,node=$NODENAME,config=$NODE.config_features)" }, "202" : { "IF" : "$NODE.config_features.config.disclaimer eq \"enable\"", "THEN" : "ok(\"Banner is enable\",4,node=$NODENAME,config=$NODE.config_features)" } } } } |
Checking the file integrity
Code Block |
---|
# json_xs < banner.json |
Step 6. Policy Management
All policies are named and versioned, and managed through opconfig-cli.pl
To make a policy available to opConfig, it must be imported, we are going to import the banner.json policy like this:
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=import_policy name="banner01" file=/usr/local/omk/conf/compliance_policies/banner.json |
If the policy file my_policy.nmis
is different from any earlier version of "my new policy name" then opConfig will store the new version with an automatically updated revision and timestamp.
Checking the existing policies
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=list_policies |
Command output
Code Block |
---|
opconfig-cli.pl Version 3.381.0 Copyright (C) 2015 Opmantek Limited (www.opmantek.com) This program comes with ABSOLUTELY NO WARRANTY; See www.opmantek.com or email contact@opmantek.com opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023 Policy Version Date banner01 1 2022-10-13T21:50:32 |
Step 7. Policy Evaluation
At this time compliance policy assessments are not performed automatically but have to be triggered with opconfig-cli.pl
:
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=check_compliance name='banner01' node=FortigateTest debug=9 |
Command output
Code Block |
---|
opconfig-cli.pl Version 3.381.0 Copyright (C) 2015 Opmantek Limited (www.opmantek.com) This program comes with ABSOLUTELY NO WARRANTY; See www.opmantek.com or email contact@opmantek.com opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023 [2022-10-13 21:58:19.07636] [129889] [debug] new opConfig: require_db [2022-10-13 21:58:19.21568] [129889] [debug] Creating NMISx [2022-10-13 21:58:19.47365] [129889] [debug] getting newest config status for node FortigateTest [2022-10-13 21:58:19.47900] [129889] [debug] Node status for FortigateTest needs updating [2022-10-13 21:58:19.48678] [129889] [debug] getting newest command output for show full-configuration [2022-10-13 21:58:19.50876] [129889] [debug] newest command output for show full-configuration is in [2022-10-13 21:58:19.51203] [129889] [debug] processing command show full-configuration, node FortigateTest, revision 8, input length 1013715, structured no [2022-10-13 21:58:19.51217] [129889] [debug] running parser /usr/local/omk/conf/config_parsers/fortigate-config.pm for node FortigateTest and command "show full-configuration" [2022-10-13 21:58:19.56652] [129889] [debug] parser finished, merging results [2022-10-13 21:58:19.56796] [129889] [debug] found no config parser for command "traceroute" on node FortigateTest [2022-10-13 21:58:19.57450] [129889] [debug] got config status for FortigateTest, last update at 2022-10-13T21:58:19 [2022-10-13 21:58:19.57637] [129889] [debug] Operating on node FortigateTest [2022-10-13 21:58:19.57652] [129889] [debug] iterating through policy rules, now at nr. 10, substvars NODE, NODEINFO, NODENAME [2022-10-13 21:58:19.57659] [129889] [debug] Operating on node FortigateTest [2022-10-13 21:58:19.57664] [129889] [debug] evaluating single IF/THEN rule, IF not defined(${NODEINFO}.os_info), THEN exception("Node has no os_info",0,node=$NODENAME) AND LAST(), substvars NODE, NODEINFO, NODENAME [2022-10-13 21:58:19.57677] [129889] [debug] IF raw:'not defined(${NODEINFO}.os_info)', expanded: 'not defined(7)', evaluates to: 0 [2022-10-13 21:58:19.57682] [129889] [debug] iterating through policy rules, now at nr. 20, substvars NODE, NODEINFO, NODENAME [2022-10-13 21:58:19.57686] [129889] [debug] Operating on node FortigateTest [2022-10-13 21:58:19.57689] [129889] [debug] evaluating single IF/THEN rule, IF $NODEINFO.os_info.os eq "Fortinet", THEN <subpolicy>, substvars NODE, NODEINFO, NODENAME [2022-10-13 21:58:19.57696] [129889] [debug] IF raw:'$NODEINFO.os_info.os eq "Fortinet"', expanded: '"Fortinet" eq "Fortinet"', evaluates to: 1 [2022-10-13 21:58:19.57700] [129889] [debug] Operating on node FortigateTest [2022-10-13 21:58:19.57703] [129889] [debug] iterating through policy rules, now at nr. 201, substvars NODE, NODEINFO, NODENAME [2022-10-13 21:58:19.57711] [129889] [debug] Operating on node FortigateTest [2022-10-13 21:58:19.57716] [129889] [debug] evaluating single IF/THEN rule, IF $NODE.config_features.config.disclaimer eq "disable", THEN exception("Banner is not enable",3,node=$NODENAME,config=$NODE.config_features), substvars NODE, NODEINFO, NODENAME [2022-10-13 21:58:19.57723] [129889] [debug] IF raw:'$NODE.config_features.config.disclaimer eq "disable"', expanded: '"enable" eq "disable"', evaluates to: 0 [2022-10-13 21:58:19.57727] [129889] [debug] iterating through policy rules, now at nr. 202, substvars NODE, NODEINFO, NODENAME [2022-10-13 21:58:19.57730] [129889] [debug] Operating on node FortigateTest [2022-10-13 21:58:19.57733] [129889] [debug] evaluating single IF/THEN rule, IF $NODE.config_features.config.disclaimer eq "enable", THEN ok("Banner is enable",4,node=$NODENAME,config=$NODE.config_features), substvars NODE, NODEINFO, NODENAME [2022-10-13 21:58:19.57739] [129889] [debug] IF raw:'$NODE.config_features.config.disclaimer eq "enable"', expanded: '"enable" eq "enable"', evaluates to: 1 [2022-10-13 21:58:19.57742] [129889] [debug] IF "$NODE.config_features.config.disclaimer eq "enable"" true, processing then "ok("Banner is enable",4,node=$NODENAME,config=$NODE.config_features)" [2022-10-13 21:58:19.57750] [129889] [debug] Raising ok "Banner is enable" for node FortigateTest [2022-10-13 21:58:19.57755] [129889] [debug] Taking exception action ok, Banner is enable |
Step 8. View Compliance Status
You can now check the Complaince Status in the opConfig GUI. Access the opConfig GUI at http://YOUR_SERVERNAME/omk/opConfig, login and then from the Menu Bar "Views -> Compliance Status".
In our case the banner is enable on Fortigate. This is the status when the banner is enable
Fortigate Banner
We changed the configuration on Fortigate and disable the banner.
Code Block |
---|
# config system global # set pre-login-banner disable # end |
Then we have to execute again the "show full-configuration" command on opCharts in order to update the config with the changes.
Now we have to update the config.
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=update_config_status node=FortigateTest force=1 debug=9 |
...
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=export_config_status node=FortigateTest debug=true |
Command output
Code Block |
---|
opconfig-cli.pl Version 3.381.0 Copyright (C) 2015 Opmantek Limited (www.opmantek.com) This program comes with ABSOLUTELY NO WARRANTY; See www.opmantek.com or email contact@opmantek.com opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023 [2022-10-13 22:30:30.30975] [2717] [debug] new opConfig: require_db [2022-10-13 22:30:30.44241] [2717] [debug] Creating NMISx { "config_features" : { "config" : { "disclaimer" : "disable", }, } |
Now we need to run the policy evaluation
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=check_compliance name='banner01' node=FortigateTest debug=9 |
Command output
Code Block |
---|
opconfig-cli.pl Version 3.381.0 Copyright (C) 2015 Opmantek Limited (www.opmantek.com) This program comes with ABSOLUTELY NO WARRANTY; See www.opmantek.com or email contact@opmantek.com opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023 [2022-10-13 22:35:14.87127] [3153] [debug] new opConfig: require_db [2022-10-13 22:35:15.01090] [3153] [debug] Creating NMISx [2022-10-13 22:35:15.25586] [3153] [debug] getting newest config status for node FortigateTest [2022-10-13 22:35:15.26091] [3153] [debug] Node status for FortigateTest already up to date as of 2022-10-13T22:34:47 [2022-10-13 22:35:15.26549] [3153] [debug] got config status for FortigateTest, last update at 2022-10-13T22:34:47 [2022-10-13 22:35:15.26684] [3153] [debug] Operating on node FortigateTest [2022-10-13 22:35:15.26695] [3153] [debug] iterating through policy rules, now at nr. 10, substvars NODENAME, NODEINFO, NODE [2022-10-13 22:35:15.26701] [3153] [debug] Operating on node FortigateTest [2022-10-13 22:35:15.26705] [3153] [debug] evaluating single IF/THEN rule, IF not defined(${NODEINFO}.os_info), THEN exception("Node has no os_info",0,node=$NODENAME) AND LAST(), substvars NODENAME, NODEINFO, NODE [2022-10-13 22:35:15.26721] [3153] [debug] IF raw:'not defined(${NODEINFO}.os_info)', expanded: 'not defined(7)', evaluates to: 0 [2022-10-13 22:35:15.26726] [3153] [debug] iterating through policy rules, now at nr. 20, substvars NODENAME, NODEINFO, NODE [2022-10-13 22:35:15.26729] [3153] [debug] Operating on node FortigateTest [2022-10-13 22:35:15.26733] [3153] [debug] evaluating single IF/THEN rule, IF $NODEINFO.os_info.os eq "Fortinet", THEN <subpolicy>, substvars NODENAME, NODEINFO, NODE [2022-10-13 22:35:15.26739] [3153] [debug] IF raw:'$NODEINFO.os_info.os eq "Fortinet"', expanded: '"Fortinet" eq "Fortinet"', evaluates to: 1 [2022-10-13 22:35:15.26743] [3153] [debug] Operating on node FortigateTest [2022-10-13 22:35:15.26746] [3153] [debug] iterating through policy rules, now at nr. 201, substvars NODENAME, NODEINFO, NODE [2022-10-13 22:35:15.26750] [3153] [debug] Operating on node FortigateTest [2022-10-13 22:35:15.26753] [3153] [debug] evaluating single IF/THEN rule, IF $NODE.config_features.config.disclaimer eq "disable", THEN exception("Banner is not enable",3,node=$NODENAME,config=$NODE.config_features), substvars NODENAME, NODEINFO, NODE [2022-10-13 22:35:15.26760] [3153] [debug] IF raw:'$NODE.config_features.config.disclaimer eq "disable"', expanded: '"disable" eq "disable"', evaluates to: 1 [2022-10-13 22:35:15.26763] [3153] [debug] IF "$NODE.config_features.config.disclaimer eq "disable"" true, processing then "exception("Banner is not enable",3,node=$NODENAME,config=$NODE.config_features)" [2022-10-13 22:35:15.26770] [3153] [debug] Raising exception "Banner is not enable" for node FortigateTest [2022-10-13 22:35:15.26775] [3153] [debug] Taking exception action exception, Banner is not enable |
Checking the compliance status on opCharts GUI.