pixbkup_1.0.txt

#!/usr/bin/perl #===========================================================# # Cisco PIX Config Backup Utility Script # # Copyright 2004 Chris Sawall csawall@hotmail.com # # http://tech.stlsawall.com # # # my $written = "08/12/04"; # my $lastupdated = "08/19/04"; # my $version = "1.0"; # my $myemail = "sawall\@gmail.com"; # #===========================================================# #===========================================================# # COPYRIGHT NOTICE # # Copyright 2004 Chris Sawall All Rights Reserved. # # # # Cisco PIX Config Backup Utility Script (pixbkup.pl) may # # be used and modified free of charge by anyone so long as # # this copyright notice and the comments above remain # # intact. By using this code you agree to indemnify # # Chris Sawall from any liability that might arise from # # its use. # # # # Selling the code for this program without prior written # # consent is expressly forbidden. In other words, # # please ask first before you try and make money off of my # # program. # # # # Obtain permission before redistributing this software # # over the Internet or in any other medium. In all cases # # copyright and header must remain intact. # #===========================================================# # # This main purpose of this script is to automate # the process of backing up Cisco PIX configs. It does so # over a secure channel by using SSH. # #========================================== # Directions on configuring the PIX # # Depending on whether or not you are using some type of # Radius or TACACS solution, you may or may not need # to create a user account on the PIX. If you do, the # following is the command to do so: # # username pixbkup password pixbkup privilege 5 # # and the PIX config will look like: # username pixbkup password /O5wMATnjhpdZAY9 encrypted privilege 5 # # you will need to configure ssh: # aaa authentication ssh console {RADIUS|TACACS|LOCAL} # # ensure that the device running the script can connect # to the PIX: # ssh 10.10.10.10 255.255.255.255 inside (or appropriate interface) # # tell the PIX to get authorization permissions locally # aaa authorization command LOCAL # # set the privilege level to only allow the user to # show the running configuration: # privilege show level 5 command running-config # # set the enable password for level 5: # enable password pixbkup level 5 # #========================================== # the Expect Perl module will need to be installed: # # [root@yoursystem root]# cpan # # cpan shell -- CPAN exploration and modules installation (v1.7601) # ReadLine support available (try 'install Bundle::CPAN') # # cpan> install Expect # #========================================== use Expect; use strict; $|++; my $debug = 0; # set the username and password of the backup acct my $user = "pixbkup"; my $pass = "pixbkup"; # define what privilege level is defined on the pix my $enlvl = "5"; # tell script if you will be using a privilege level # or if you are just going to use the default enable # password to login (not suggested). # set to 1 to use defined privilege level. my $userprivset = 1; # set "real" enable password if necessary (not suggested) my $enpass = "PASSWORD"; # define command to display current configuration # not the "exclude passw". this is to ensure that the # real enable password is not stored with the configuration # i believe the pix version has to be at least 6.3 or higher my $getcfgcmd = "sh run | exclude passw"; # define the file containing a list of firewalls to connect # to and backup config. hosts beginning with a pound sign (#) # will be ignored. my $hostfile = "firewall.list"; # define temp log file to store data. deleted at end of script my $logfile = "/tmp/xlog.txt"; # set the location to store config files. be sure to lock # down access to this folder. my $configdir = "/logs/pixconfigs"; # choose whether or not to create md5 hashes of configurations # setting to 1 will create hash my $createmd5 = 1; # define binary locations to do md5 hashes on config files my $opensslexe = "/usr/bin/openssl"; my $md5sumexe = "/usr/bin/md5sum"; # define with binary to execute my $usemd5prog = "md5sum"; # can be "md5sum" or "openssl" # set various variables my ($host, $expect, $result, $grabdata); my ($sec,$min,$hour,$mday,$mon,$year,$currenttime,$pixcfgfile,$pixmd5file,$sum); my $starttag = "---- Start config for $host ----"; my $endtag = "---- End config for $host ----"; #========================================= # set current time and day var #========================================= ($sec,$min,$hour,$mday,$mon,$year) = localtime(time); $year+=1900; $mon+=1; if($mon < 10) {$mon = 0 . $mon;} if($mday < 10) {$mday = 0 . $mday;} if($sec < 10) {$sec = 0 . $sec;} if($min < 10) {$min = 0 . $min;} if($hour < 10) {$hour = 0 . $hour;} $currenttime = "$mon$mday$year.$hour$min$sec"; if($debug) {print "###Show Current Time ###\n"; print "Time => $currenttime\n";} if (-e $hostfile) {open(FWFILE,"$hostfile") || die "Failed to read config\n";} if($debug) { print "Current hostfile is $hostfile\n"; my $numhosts = `cat $hostfile | wc -l`; print "Total number of hosts is $numhosts\n"; } while($host = <FWFILE>) { chomp($host); # --- Set out filename for PIX config if($debug) {print "Current host is $host\n";} # --- Commented hosts will be ignored if($host =~ /^#/){if($debug) {print "Host commented out: $host\n";} next;} $pixcfgfile = "$host.$currenttime.cfg"; $pixmd5file = "$host.$currenttime.md5"; if($debug) {print "Current PIX CFG file is $host.$currenttime.cfg\n";} if($debug) {print "Current PIX MD5 file is $host.$currenttime.md5\n";} # --- Start using Expect to connect to PIX $expect=Expect->spawn("ssh -l $user $host"); # --- Don't display data to screen --- $expect->log_stdout(0); # --- Start log file and truncate any existing log file --- $expect->log_file($logfile, "w"); # --- Log into pix and write config --- $result=$expect->expect(5,'assword:'); if ($result == 1) { print $expect "$pass\n";} $result=$expect->expect(5,'>'); if($userprivset) { if($debug) {print "User PRIV Set - Using Level $enlvl\n";} if ($result == 1) { print $expect "en $enlvl\n";} $result=$expect->expect(1,'assword:'); if ($result == 1) { print $expect "$pass\n";} } else { if($debug) {print "User PRIV *NOT* Set - Using Default Enable Level 15\n";} if ($result == 1) { print $expect "en\n";} $result=$expect->expect(1,'assword:'); if ($result == 1) { print $expect "$enpass\n";} } $result=$expect->expect(1,'#'); if ($result == 1) { print $expect "pager 0\n";} $result=$expect->expect(1,'#'); $expect->print_log_file("\n$starttag\n"); if ($result == 1) { print $expect "$getcfgcmd\n";} $result=$expect->expect(1,'#'); $expect->print_log_file("\n$endtag\n"); if ($result == 1) { print $expect "pager 25\n";} $result=$expect->expect(1,'#'); if ($result == 1) { print $expect "exit\n";} # --- write current config to file --- open(PIXCFG, ">>$configdir/$pixcfgfile"); open(FIXFILE, "$logfile"); while(<FIXFILE>) { chomp; tr/\r//d; if(/$starttag/) {$grabdata = 1; if($debug) {print "Found Start tag for $host\n";}} if(/$endtag/) {$grabdata = 0; if($debug) {print "Found End tag for $host\n";}} if($grabdata) { if($_=~/$starttag/ || /$getcfgcmd/) {next;} print PIXCFG "$_\n"; } } close(PIXCFG); # --- create md5 hash file if necessary if($createmd5) { if($debug) {print "Creating MD5 Hash\n";} if($usemd5prog =~ /openssl/) { if($debug) {print "Using OpenSSL...\n";} $sum = `$opensslexe md5 $configdir/$pixcfgfile`; } if($usemd5prog =~ /md5sum/) { if($debug) {print "Using MD5sum...\n";} $sum = `$md5sumexe $configdir/$pixcfgfile`; } if($debug) {print "$sum\n";} open(MD5File,">>$configdir/$pixmd5file"); print MD5File "$sum\n"; close(MD5File); } } # --- END MAIN WHILE LOOP OF FWFILE unlink $logfile; close(FWFILE); if($debug) {print "Unlinked $logfile.\n";} exit;