Scripting 102 - PaloAlto / Sauvegarde des firewalls, what did you #!/usr/bin/expect !

Maintenant que vous connaissez mon obsession pour le scripting avec : Scripting 101 - F5 / Sauvegarde automatique de vos loadbalancers, nous allons voir comment backuper des firewalls PaloAlto. Sur PANOS on a une superbe API REST XML qui permet à des automates distants d'interagir avec l'équipement, mais à l'ordre du jour nous allons réviser un des outils les plus basiques d'un système UNIX : expect.

1 - Expect c'est quoi ?

Expect est un outil d'automatisation de tests, basé sur une extension du langage Tcl, permettant de valider des programmes interactifs comme : ftp / telnet / ssh et bien d'autres. Il est utilisé par le projet RANCID (outil d'automatisation de sauvegardes). Son fonctionnement est assez simple : il lance une commande interactive (type ssh) et ensuite il exécute une série de commandes de send/expect pour envoyer des données et valider le retour. Dans les commandes usuelles nous retrouvons :

• spawn : qui permet de lancer un programme
• send : qui envoi des instructions comme si nous les avions tapées manuellement dans un terminal
• expect : qui valide le retour du programme = sortie texte que nous aurions vu sur le terminal
• et toute la librairie de fonctions Tcl utilisée aussi dans les iRules F5 ;)

2 - Script d'automatisation

Comme vous vous en doutez, si nous programmons un expect script qui se connecte en SSH à un équipement et lance une commande type "get configuration", il sera très facile de le mettre en tâche planifiée (crontab) pour disposer d'un backup quotidien de nos équipements. Vous trouverez ci-joint un exemple d'implémentation pour les firewalls PaloAlto, que vous pourrez modifier à votre guise et l'adapter à d'autres équipements ! Il ne vous reste plus qu'a le déployer sur votre UNIX/LINUX préféré, la commande s'utilise comme ceci :

romio@whitehat <span>~</span><span>/</span>Desktop $ .<span>/</span>backup_paloalto.sh <span><</span>host<span>></span> <span><</span>user<span>></span> <span><</span>pass<span>></span> <span>[</span><span><</span>output_file<span>></span><span>]</span> <span># Exemple</span> romio@whitehat <span>~</span><span>/</span>Desktop $ .<span>/</span>backup<span>-</span>paloalto.sh <span>172.16</span>.<span>1.51</span> admin admin <span># Fichier de sortie par défaut : backup-pan-<host>-<date>.conf</span> romio@whitehat <span>~</span><span>/</span>Desktop $ head <span>-</span><span>3</span> backup<span>-</span>pan<span>-</span><span>172.16</span>.<span>1.51</span><span>-</span><span>2012</span><span>-</span><span>09</span><span>-</span><span>21.</span>conf config <span>{</span> mgt<span>-</span>config <span>{</span> users <span>{</span> <span>[</span>...<span>]</span>

Code source :

<span>#!/usr/bin/expect</span> <span># Romain MOREL</span> <span># </span><span>[email protected]</span> <span># Usage : backup_paloalto host user pass [output_file]</span> <span># Version 1.0</span> <span>##############################################################################</span> <span>#</span> <span># CONFIGURATION</span> <span>#</span> <span>##############################################################################</span> <span># Global Variables (Ajust value regarding your hostname/cluster)</span> <span>set</span><span> prompt</span> <span>"@*> </span><span>$</span><span>"</span> <span># Output Buffer</span> match_max <span>-</span><span>d</span> <span>1000000</span> <span># Disable terminal output</span> log_user <span>0</span> <span>##############################################################################</span> <span>#</span> <span># ARGUMENTS</span> <span>#</span> <span>##############################################################################</span> <span>set</span><span> host</span> <span>[</span><span>lindex</span> <span>$argv</span> <span>0</span><span>]</span> <span>set</span><span> user</span> <span>[</span><span>lindex</span> <span>$argv</span> <span>1</span><span>]</span> <span>set</span><span> pass</span> <span>[</span><span>lindex</span> <span>$argv</span> <span>2</span><span>]</span> <span>set</span><span> file</span> <span>[</span><span>lindex</span> <span>$argv</span> <span>3</span><span>]</span> <span># Check arguments</span> <span>if</span> <span>{</span> <span>$user</span> <span>=</span><span>=</span> <span>""</span> <span>|</span><span>|</span> <span>$pass</span> <span>=</span><span>=</span> <span>""</span> <span>|</span><span>|</span> <span>$host</span> <span>=</span><span>=</span> <span>""</span><span>}</span> <span>{</span> <span>puts</span> <span>"Usage: backup_paloalto <host> <user> <pass> </span><span>\[</span><span><output_file></span><span>\]</span><span>"</span> <span>exit</span> <span>1</span> <span>}</span> <span># Default output file</span> <span>if</span> <span>{</span> <span>$file</span> <span>=</span><span>=</span> <span>""</span> <span>}</span> <span>{</span> <span> # Suffix for output file</span> <span> </span><span>set</span><span> suffix</span> <span>[</span><span>clock</span> <span>format</span> <span>[</span><span>clock</span> seconds<span>]</span> <span>-</span><span>format</span> <span>%</span>Y<span>-</span><span>%</span>m<span>-</span><span>%</span>d<span>]</span> <span> </span><span>set</span><span> file</span> <span>"backup-pan-</span><span>$host</span><span>-</span><span>$suffix</span><span>.conf"</span> <span>}</span> <span>##############################################################################</span> <span>#</span> <span># LIBRARY</span> <span>#</span> <span>##############################################################################</span> <span># SSH connection</span> <span>proc</span> ssh_connect <span>{</span> pass prompt <span>}</span> <span>{</span> expect <span>{</span> <span>"assword: "</span> <span>{</span> <span>send</span> <span>"</span><span>$pass</span><span>\r</span><span>"</span> expect <span>{</span> <span>"</span><span>$prompt</span><span>"</span> <span>{</span> <span>return</span> <span>0</span> <span>}</span> <span>}</span> <span>}</span> <span>}</span> <span> # timed out</span> <span>return</span> <span>1</span> <span>}</span> <span># Backup routine</span> <span>proc</span> backup_conf <span>{</span> <span>file</span> prompt <span>}</span> <span>{</span> <span> # Check for file opening with write access</span> <span> </span><span>set</span><span> fh</span> <span>[</span><span>open</span> <span>$file</span> w<span>]</span> <span> # Set scripting-mode on</span> <span>send</span> <span>"set cli scripting-mode on</span><span>\r</span><span>"</span> expect <span>-</span><span>-</span> <span>$prompt</span> <span>{</span> # Disable pager <span>(</span><span>|</span> more<span>-</span>like output<span>)</span> <span>send</span> <span>"set cli pager off</span><span>\r</span><span>"</span> expect <span>-</span><span>-</span> <span>$prompt</span> <span>{</span> # Get configuration <span>send</span> <span>"show config running</span><span>\r</span><span>"</span> expect <span>-</span><span>-</span> <span>$prompt</span> <span>{</span> <span> </span><span>set</span><span> output</span> <span>$</span><span>expect_out</span><span>(</span><span>buffer</span><span>)</span> # Convert <span>\r</span><span>\n</span> to <span>\n</span> <span>regsub</span> <span>-</span><span>all</span> <span>"</span><span>\r</span><span>"</span> <span>$output</span> <span>""</span> output # Strip first line <span>regsub</span> <span>"^.*show config running</span><span>\n</span><span>\n</span><span>"</span> <span>$output</span> <span>""</span> output # Strip last line <span>regsub</span> <span>"</span><span>\n</span><span>\n</span><span>.+</span><span>$</span><span>"</span> <span>$output</span> <span>""</span> output # Write content to <span><</span>ouput_file<span>></span> <span>puts</span> <span>$fh</span> <span>$output</span> <span>close</span> <span>$fh</span> <span>return</span> <span>0</span> <span>}</span> <span>}</span> <span>}</span> <span> # Problem during cli commands</span> <span>return</span> <span>1</span> <span>}</span> <span>##############################################################################</span> <span>#</span> <span># SCRIPT LOGIC</span> <span>#</span> <span>##############################################################################</span> spawn ssh <span>-</span><span>o</span> <span>"StrictHostKeyChecking no"</span> <span>$user</span>@<span>$host</span> <span>set</span><span> ret</span> <span>[</span>ssh_connect <span>$pass</span> <span>$prompt</span><span>]</span> <span>if</span> <span>{</span> <span>$ret</span> <span>=</span><span>=</span> <span>1</span> <span>}</span> <span>{</span> <span>puts</span> <span>"Error connecting to PAN-FW: </span><span>$user</span><span>@</span><span>$host</span><span>"</span> <span>exit</span> <span>1</span> <span>}</span> <span>set</span><span> ret</span> <span>[</span>backup_conf <span>$file</span> <span>$prompt</span><span>]</span> <span>if</span> <span>{</span> <span>$ret</span> <span>=</span><span>=</span> <span>1</span> <span>}</span> <span>{</span> <span>puts</span> <span>"Error while fetching configuration"</span> <span>exit</span> <span>1</span> <span>}</span> <span>exit</span> <span>0</span>

Easy ? Romio