From be097f65e0e9483a58c9cd9e768db485f6910505 Mon Sep 17 00:00:00 2001 From: Tim Pray Date: Wed, 4 Apr 2018 22:33:55 -0400 Subject: Rework the Exclusions --- lib/oxidized/model/fortios.rb | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/oxidized/model/fortios.rb b/lib/oxidized/model/fortios.rb index 23370c4..59dffb0 100644 --- a/lib/oxidized/model/fortios.rb +++ b/lib/oxidized/model/fortios.rb @@ -15,18 +15,26 @@ class FortiOS < Oxidized::Model end cmd :secret do |cfg| - cfg.gsub! /(set (?:passwd|password|psksecret|secret|key|group-password|secondary-secret|tertiary-secret|auth-password-l1|auth-password-l2|rsso|history0|history1|inter-controller-key ENC|passphrase ENC|login-passwd ENC)).*/, '\\1 ' + # ENC indicated an encrypted password (Hash), so anything starting with set and ending in ENC followed by a string of characters .+ means that there must be at least one character present, which should be a little safter + cfg.gsub! /(set .+ ENC) .+/, '\\1 ' + # Any line starting with "set", containing a string that ends in "secret" also ends with a password or hash. + cfg.gsub! /(set .*secret) .+/, '\\1 ' + # The above two simplify this line + #cfg.gsub! /(set (?:passwd|password|psksecret|secret|key|group-password|secondary-secret|tertiary-secret|auth-password-l1|auth-password-l2|rsso|history0|history1|inter-controller-key ENC|passphrase ENC|login-passwd ENC|auth-pwd ENC|ldap-pwd ENC|priv-pwd ENC|ldap-password ENC)).*/, '\\1 ' + # The remaining secrets to remove + cfg.gsub! /(set (?:passwd|password|key|group-password|auth-password-l1|auth-password-l2|rsso|history0|history1)) .+/, '\\1 ' cfg.gsub! /(set private-key).*-+END ENCRYPTED PRIVATE KEY-*"$/m , '\\1 ' cfg.gsub! /(set ca ).*-+END CERTIFICATE-*"$/m , '\\1 ' cfg.gsub! /(set csr ).*-+END CERTIFICATE REQUEST-*"$/m , '\\1 ' - cfg.gsub! /(Virus-DB|Extended DB|IPS-DB|IPS-ETDB|APP-DB|INDUSTRIAL-DB|Botnet DB|IPS Malicious URL Database).*/, '\\1 ' - cfg.gsub! /(Cluster uptime:).*/, '\\1 ' + #cfg.gsub! /(Virus-DB|Extended DB|IPS-DB|IPS-ETDB|APP-DB|INDUSTRIAL-DB|Botnet DB|IPS Malicious URL Database).*/, '\\1 ' #Not really secrets, Moved down to get system status + cfg.gsub! /(Cluster uptime:).*/, '\\1 ' cfg end cmd 'get system status' do |cfg| @vdom_enabled = cfg.include? 'Virtual domain configuration: enable' cfg.gsub!(/(System time: )(.*)/, '\1\3') + cfg.gsub! /(Virus-DB|Extended DB|IPS-DB|IPS-ETDB|APP-DB|INDUSTRIAL-DB|Botnet DB|IPS Malicious URL Database).*/, '\\1 ' comment cfg end -- cgit v1.2.1 From defdc69f92b3bcf62b1fd3b5ceac63a7a4e637ae Mon Sep 17 00:00:00 2001 From: Wild Kat Date: Sat, 26 May 2018 23:45:33 +0200 Subject: clean up and rubocop compliance --- lib/oxidized/model/fortios.rb | 38 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 22 deletions(-) (limited to 'lib') diff --git a/lib/oxidized/model/fortios.rb b/lib/oxidized/model/fortios.rb index 59dffb0..7269568 100644 --- a/lib/oxidized/model/fortios.rb +++ b/lib/oxidized/model/fortios.rb @@ -1,6 +1,5 @@ class FortiOS < Oxidized::Model - - comment '# ' + comment '# ' prompt /^([-\w\.\~]+(\s[\(\w\-\.\)]+)?\~?\s?[#>$]\s?)$/ @@ -15,18 +14,14 @@ class FortiOS < Oxidized::Model end cmd :secret do |cfg| - # ENC indicated an encrypted password (Hash), so anything starting with set and ending in ENC followed by a string of characters .+ means that there must be at least one character present, which should be a little safter + # ENC indicates an encrypted password, and secret indicates a secret string cfg.gsub! /(set .+ ENC) .+/, '\\1 ' - # Any line starting with "set", containing a string that ends in "secret" also ends with a password or hash. cfg.gsub! /(set .*secret) .+/, '\\1 ' - # The above two simplify this line - #cfg.gsub! /(set (?:passwd|password|psksecret|secret|key|group-password|secondary-secret|tertiary-secret|auth-password-l1|auth-password-l2|rsso|history0|history1|inter-controller-key ENC|passphrase ENC|login-passwd ENC|auth-pwd ENC|ldap-pwd ENC|priv-pwd ENC|ldap-password ENC)).*/, '\\1 ' - # The remaining secrets to remove + # A number of other statements also contains sensitive strings cfg.gsub! /(set (?:passwd|password|key|group-password|auth-password-l1|auth-password-l2|rsso|history0|history1)) .+/, '\\1 ' - cfg.gsub! /(set private-key).*-+END ENCRYPTED PRIVATE KEY-*"$/m , '\\1 ' - cfg.gsub! /(set ca ).*-+END CERTIFICATE-*"$/m , '\\1 ' - cfg.gsub! /(set csr ).*-+END CERTIFICATE REQUEST-*"$/m , '\\1 ' - #cfg.gsub! /(Virus-DB|Extended DB|IPS-DB|IPS-ETDB|APP-DB|INDUSTRIAL-DB|Botnet DB|IPS Malicious URL Database).*/, '\\1 ' #Not really secrets, Moved down to get system status + cfg.gsub! /(set private-key).*-+END ENCRYPTED PRIVATE KEY-*"$/m, '\\1 ' + cfg.gsub! /(set ca ).*-+END CERTIFICATE-*"$/m, '\\1 ' + cfg.gsub! /(set csr ).*-+END CERTIFICATE REQUEST-*"$/m, '\\1 ' cfg.gsub! /(Cluster uptime:).*/, '\\1 ' cfg end @@ -43,21 +38,21 @@ class FortiOS < Oxidized::Model cfg << cmd('config global') if @vdom_enabled cfg << cmd('get hardware status') do |cfg| - comment cfg + comment cfg end - #default behaviour: include autoupdate output (backwards compatibility) - #do not include if variable "show_autoupdate" is set to false - if defined?(vars(:fortios_autoupdate)).nil? || vars(:fortios_autoupdate) - cfg << cmd('diagnose autoupdate version') do |cfg| - cfg.gsub! /(FDS Address\n---------\n).*/, '\\1IP Address removed' - comment cfg.each_line.reject { |line| line.match /Last Update|Result/ }.join - end + # default behaviour: include autoupdate output (backwards compatibility) + # do not include if variable "show_autoupdate" is set to false + if defined?(vars(:fortios_autoupdate)).nil? || vars(:fortios_autoupdate) + cfg << cmd('diagnose autoupdate version') do |cfg| + cfg.gsub! /(FDS Address\n---------\n).*/, '\\1IP Address removed' + comment cfg.each_line.reject { |line| line.match /Last Update|Result/ }.join + end end -cfg << cmd('end') if @vdom_enabled + cfg << cmd('end') if @vdom_enabled - cfg << cmd('show full-configuration') + cfg << cmd('show full-configuration | grep .') cfg.join "\n" end @@ -69,5 +64,4 @@ cfg << cmd('end') if @vdom_enabled cfg :telnet, :ssh do pre_logout "exit\n" end - end -- cgit v1.2.1