ACL Analyzer Script Post: 302174305

Sponsored Content

Top Forums Shell Programming and Scripting ACL Analyzer Script Post 302174305 by Okema on Monday 10th of March 2008 05:31:58 PM

03-10-2008

Registered User

ACL Analyzer Script

Hello,

I am trying to make a bash script that will analyze and document Cisco (router) ACLs that will output a file with the source, destination, protocol, and ports (ports of the destination only) into a text file. The whole reason why all our current ACLs need to be documented is because we are moving over to state full firewalls (PIX), which means you don't need to state anything that was already established. I would also like to keep the remark lines and add that in output along with everything else, but I could probably do that myself once I get an idea about how to approach this. Assuming I get this script done, I could then just hand the output over to the firewall team and they can take it from there.

Example (IPs changed for confidentiality):
permit tcp host x.x.x.x eq smtp y.y.y.y 0.0.0.31 gt 1023 established
permit tcp host x.x.x.x eq 5308 y.y.y.y 0.0.0.31 gt 1023 established
permit tcp host x.x.x.x eq 6802 y.y.y.y 0.0.0.31 gt 1023 established
permit tcp x.x.x.x 0.0.0.31 eq 2049 y.y.y.y 0.0.0.31
permit tcp host x.x.x.x gt 1023 y.y.y.y 0.0.0.31 eq smtp
permit tcp host x.x.x.x gt 1023 y.y.y.y 0.0.0.31 eq 5308
permit tcp host x.x.x.x gt 1023 y.y.y.y 0.0.0.31 eq 6802
permit tcp x.x.x.x 0.0.0.31 y.y.y.y 0.0.0.31 eq 2049

The first four aren't need while the last four are.

Now that you know what I'm trying to do, I'll explain my problem... I'm not too sure where to start and what is the best method for something like this. There are several different types of ACL lines such as:

permit protocol src mask dest mask
permit protocol any desk mask
permit protocol src mask any
permit protocol any any
permit protocol src mask port dest mask port
permit protocol src mask port dest mask portrange
etc...

Anyone have any ideas about how to start a task like this? Or even the way the looping structure should be or the commands I should use? I've been documenting each ACL I have by hand and I have thousands, so I figured that a script would be the best way to tackle this. I do have experience in BASH scripting, although my knowledge of commands such as awk, grep, and many others I probably don't even know about, is very limited.

What I had in mind was to set the spaces as delimiters and set each token as a variable, but that's all I thought up of and I'm not really sure even how to do that.

So to sum it all up this is what I hope to accomplish:
- To input a text file of (hopefully) all the ACLs in one (as in the show run command on Cisco routers, same output, the whole ACL section pasted in a text file).
- To be able to get rid of the lines that isn't needed when converting from ACL to state full firewall. This might be easier to this part last, although I'll wait and see what comes up before I decide anything.
- To output to a text file to something that's easy to read.

Thank you

Okema

View Public Profile for Okema

Find all posts by Okema

7 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

multiple website traffic analyzer

Hello everybody, I'm hosting several websites on the same server using apache virtual hosting: ~$ tail /etc/apache2/sites-available/default <VirtualHost *> ServerName website1.mydomain.com DocumentRoot /var/www/website1 </VirtualHost> <VirtualHost *> ServerName...

2. Shell Programming and Scripting

Script to find/apply Solaris 10 ACL's

This may be a question for a different forum, but as I will need a script I thought I would start here. We recently migrated from Solaris 8 to Solaris 10. The file system in question here is ZFS, meaning the method for listing and applying ACL's has changed dramatically. To make a long story...

3. HP-UX

HP UX Syslog Analyzer

Hi everybody I need to analyze syslog file in HP UX Is there any log analayzer for this file? Regards

4. Solaris

[REQ] tool analyzer for /var/adm/messages

hi all, i am trying to find a tool to analyze the var/adm/messages. is there any? thanks, Mahm.

5. Solaris

graphical diskspace analyzer

Hi all, recently I took over the admin task for a solaris 5.10 machine. Being a little bit familiar with debian systems Solaris is up to now a complete mystery to me. The first thing I would like to have is a graphical diskspace analyzer. I mean something like BaoBab under gnome. I there a...

6. IP Networking

Best iptables log analyzer?

Hello all, i want to view my iptables log on web interface, with chart (in option, and this is not my priority). What is the best program for this? I have Ubuntu server. Thanks ! :)

7. Infrastructure Monitoring

Centralized linux system log analyzer?!

Hello everyone! I`m searching for linux log parser application. I already find some ways, but the best looks logzilla. Requirements: Web interface for viewing Filtering in web Notifications in web or email Open source Support linux system logs, custom logs and apache logs. I will...

LEARN ABOUT OPENSOLARIS

facl_get

acl_get(3SEC)					       File Access Control Library Functions					     acl_get(3SEC)

NAME

       acl_get, facl_get, acl_set, facl_set - get or set a file's Access Control List (ACL)

SYNOPSIS

       cc [ flag... ] file... -lsec [ library... ]
       #include <sys/acl.h>

       int *acl_get(const char *path, int flag, acl_t **aclp);

       int *facl_get(int fd, int flag, acl_t **aclp);

       int acl_set(const char *path, acl_t *aclp);

       int facl_set(int fd, acl_t *aclp);

DESCRIPTION

       The  acl_get()  and  facl_get()	functions retrieve an Access Control List (ACL) of a file whose name is given by path or referenced by the
       open file descriptor fd. The flag argument specifies whether a trivial ACL should be retrieved. When the flag argument  is  ACL_NO_TRIVIAL,
       only ACLs that are not trivial will be retrieved. The ACL is returned in the aclp argument.

       The  acl_set()  and  facl_set()	functions are used for setting an ACL of a file whose name is given by path or referenced by the open file
       descriptor fd. The aclp argument specifies the ACL to set.

       The acl_get() and acl_set() functions support multiple types of ACLs.  When possible, the acl_set() function translates an ACL to the  tar-
       get  file's style of ACL. Currently this is only possible when translating from a POSIX-draft ACL such as on UFS to a file system that sup-
       ports NFSv4 ACL semantics such as ZFS or NFSv4.

RETURN VALUES

       Upon successful completion, acl_get() and facl_get() return 0 and aclp is non-NULL. The aclp argument can be NULL after successful  comple-
       tion  if  the  file  had a trivial ACL and the flag argument was ACL_NO_TRIVIAL. Otherwise, -1 is returned and errno is set to indicate the
       error.

       Upon successful completion, acl_set() and facl_set() return 0. Otherwise, -1 is returned and errno is set to indicate the error.

ERRORS

       These functions will fail if:

       EACCES	  The caller does not have access to a component of path.

       EIO	  A disk I/O error has occured while retrieving the ACL.

       ENOENT	  A component of the path does not exist.

       ENOSYS	  The file system does not support ACLs.

       ENOTSUP	  The ACL supplied could not be translated to an NFSv4 ACL.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+
       |MT-Level		     |MT-Safe			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       chmod(1), acl(2), acl(5), attributes(5)

SunOS 5.11							    6 Oct 2005							     acl_get(3SEC)