pixbkup_1.0.txt

#!/usr/bin/perl
#===========================================================#
# Cisco PIX Config Backup Utility Script                    #
# Copyright 2004 Chris Sawall   csawall@hotmail.com         #
# http://tech.stlsawall.com                                 #
#                                                           #
my $written = "08/12/04";                                   #
my $lastupdated = "08/19/04";                               #
my $version = "1.0";                                        #
my $myemail = "sawall\@gmail.com";                          #
#===========================================================#
#===========================================================#
# COPYRIGHT NOTICE                                          #
# Copyright 2004 Chris Sawall  All Rights Reserved.         #
#                                                           #
# Cisco PIX Config Backup Utility Script (pixbkup.pl) may   #
# be used and modified free of charge by anyone so long as  #
# this copyright notice and the comments above remain       #
# intact.  By using this code you agree to indemnify        #
# Chris Sawall from any liability that might arise from     #
# its use.                                                  #
#                                                           #
# Selling the code for this program without prior written   #
# consent is expressly forbidden.  In other words,          #
# please ask first before you try and make money off of my  #
# program.                                                  #
#                                                           #
# Obtain permission before redistributing this software     #
# over the Internet or in any other medium. In all cases    #
# copyright and header must remain intact.                  #
#===========================================================#
#
# This main purpose of this script is to automate
# the process of backing up Cisco PIX configs.  It does so
# over a secure channel by using SSH.
#
#==========================================
# Directions on configuring the PIX
#
# Depending on whether or not you are using some type of
# Radius or TACACS solution, you may or may not need
# to create a user account on the PIX.  If you do, the
# following is the command to do so:
#
# username pixbkup password pixbkup privilege 5
#
# and the PIX config will look like:
# username pixbkup password /O5wMATnjhpdZAY9 encrypted privilege 5
#
# you will need to configure ssh:
# aaa authentication ssh console {RADIUS|TACACS|LOCAL}
#
# ensure that the device running the script can connect
# to the PIX:
# ssh 10.10.10.10 255.255.255.255 inside (or appropriate interface)
#
# tell the PIX to get authorization permissions locally
# aaa authorization command LOCAL
#
# set the privilege level to only allow the user to
# show the running configuration:
# privilege show level 5 command running-config
#
# set the enable password for level 5:
# enable password pixbkup level 5
#
#==========================================
# the Expect Perl module will need to be installed:
#
# [root@yoursystem root]# cpan
#
# cpan shell -- CPAN exploration and modules installation (v1.7601)
# ReadLine support available (try 'install Bundle::CPAN')
#
# cpan> install Expect
#
#==========================================

use Expect;
use strict;
$|++;

my $debug = 0;
# set the username and password of the backup acct
my $user = "pixbkup";
my $pass = "pixbkup";
# define what privilege level is defined on the pix
my $enlvl = "5";
# tell script if you will be using a privilege level
# or if you are just going to use the default enable
# password to login (not suggested).
# set to 1 to use defined privilege level.
my $userprivset = 1;
# set "real" enable password if necessary (not suggested)
my $enpass = "PASSWORD";
# define command to display current configuration
# not the "exclude passw".  this is to ensure that the
# real enable password is not stored with the configuration
# i believe the pix version has to be at least 6.3 or higher
my $getcfgcmd = "sh run | exclude passw";
# define the file containing a list of firewalls to connect
# to and backup config.  hosts beginning with a pound sign (#)
# will be ignored.
my $hostfile = "firewall.list";
# define temp log file to store data.  deleted at end of script
my $logfile = "/tmp/xlog.txt";
# set the location to store config files.  be sure to lock
# down access to this folder.
my $configdir = "/logs/pixconfigs";
# choose whether or not to create md5 hashes of configurations
# setting to 1 will create hash
my $createmd5 = 1;
# define binary locations to do md5 hashes on config files
my $opensslexe = "/usr/bin/openssl";
my $md5sumexe = "/usr/bin/md5sum";
# define with binary to execute
my $usemd5prog = "md5sum"; # can be "md5sum" or "openssl"
# set various variables
my ($host, $expect, $result, $grabdata);
my ($sec,$min,$hour,$mday,$mon,$year,$currenttime,$pixcfgfile,$pixmd5file,$sum);
my $starttag = "---- Start config for $host ----";
my $endtag = "---- End config for $host ----";

#=========================================
# set current time and day var
#=========================================
($sec,$min,$hour,$mday,$mon,$year) = localtime(time);
$year+=1900;
$mon+=1;
if($mon < 10) {$mon = 0 . $mon;}
if($mday < 10) {$mday = 0 . $mday;}
if($sec < 10) {$sec = 0 . $sec;}
if($min < 10) {$min = 0 . $min;}
if($hour < 10) {$hour = 0 . $hour;}
$currenttime = "$mon$mday$year.$hour$min$sec";
if($debug) {print "###Show Current Time ###\n"; print "Time => $currenttime\n";}

if (-e $hostfile) {open(FWFILE,"$hostfile") || die "Failed to read config\n";}
if($debug)
 {
 print "Current hostfile is $hostfile\n";
 my $numhosts = `cat $hostfile | wc -l`;
 print "Total number of hosts is $numhosts\n";
 }

while($host = <FWFILE>)
{
 chomp($host);
 # --- Set out filename for PIX config
 if($debug) {print "Current host is $host\n";}
 # --- Commented hosts will be ignored
 if($host =~ /^#/){if($debug) {print "Host commented out: $host\n";} next;}
 $pixcfgfile = "$host.$currenttime.cfg";
 $pixmd5file = "$host.$currenttime.md5";
 if($debug) {print "Current PIX CFG file is $host.$currenttime.cfg\n";}
 if($debug) {print "Current PIX MD5 file is $host.$currenttime.md5\n";}
 # --- Start using Expect to connect to PIX
 $expect=Expect->spawn("ssh -l $user $host");
 # --- Don't display data to screen ---
 $expect->log_stdout(0);
 # --- Start log file and truncate any existing log file ---
 $expect->log_file($logfile, "w");
 # --- Log into pix and write config ---
 $result=$expect->expect(5,'assword:');
 if ($result == 1) { print $expect "$pass\n";}
 $result=$expect->expect(5,'>');
 if($userprivset)
  {
  if($debug) {print "User PRIV Set - Using Level $enlvl\n";}
  if ($result == 1) { print $expect "en $enlvl\n";}
  $result=$expect->expect(1,'assword:');
  if ($result == 1) { print $expect "$pass\n";}
  }
 else
  {
  if($debug) {print "User PRIV *NOT* Set - Using Default Enable Level 15\n";}
  if ($result == 1) { print $expect "en\n";}
  $result=$expect->expect(1,'assword:');
  if ($result == 1) { print $expect "$enpass\n";}
  }
 $result=$expect->expect(1,'#');
 if ($result == 1) { print $expect "pager 0\n";}
 $result=$expect->expect(1,'#');
 $expect->print_log_file("\n$starttag\n");
 if ($result == 1) { print $expect "$getcfgcmd\n";}
 $result=$expect->expect(1,'#');
 $expect->print_log_file("\n$endtag\n");
 if ($result == 1) { print $expect "pager 25\n";}
 $result=$expect->expect(1,'#');
 if ($result == 1) { print $expect "exit\n";}
 # --- write current config to file ---
 open(PIXCFG, ">>$configdir/$pixcfgfile");
 open(FIXFILE, "$logfile");
 while(<FIXFILE>)
 {
  chomp;
  tr/\r//d;
  if(/$starttag/) {$grabdata = 1; if($debug) {print "Found Start tag for $host\n";}}
  if(/$endtag/) {$grabdata = 0; if($debug) {print "Found End tag for $host\n";}}
  if($grabdata)
  {
   if($_=~/$starttag/ || /$getcfgcmd/) {next;}
   print PIXCFG "$_\n";
  }
 }
 close(PIXCFG);

 # --- create md5 hash file if necessary
 if($createmd5)
  {
  if($debug) {print "Creating MD5 Hash\n";}
  if($usemd5prog =~ /openssl/)
   {
   if($debug) {print "Using OpenSSL...\n";}
   $sum = `$opensslexe md5 $configdir/$pixcfgfile`;
   }
  if($usemd5prog =~ /md5sum/)
   {
   if($debug) {print "Using MD5sum...\n";}
   $sum = `$md5sumexe $configdir/$pixcfgfile`;
   }
  if($debug) {print "$sum\n";}
  open(MD5File,">>$configdir/$pixmd5file");
  print MD5File "$sum\n";
  close(MD5File);
  }
} # --- END MAIN WHILE LOOP OF FWFILE
unlink $logfile;
close(FWFILE);
if($debug) {print "Unlinked $logfile.\n";}
exit;