Solved: AsyncOS 9.0 bings a new cool

jacksbox1 · ‎01-05-2015

Hello,

We have 2 Ironport S370 devices and multiple administrators of the devices.

Does anyone know of a tool which might help us audit/compare the changes that each administrator makes? Changes to Access Policies and Custom URL categories in particular.

Thanks!

Jernej Vodopivec · ‎01-06-2015

This script may help you: it creates configuration file, transfers it via FTP and sends diff between two latest config files to your email address:

#!/bin/bash

ironporthost="192.168.42.42"
ironportuser="admin"
ironportpass="password"

configdir="/home/ironport/backups"

emailalert="yourname@domain.tld"
emailsubject="Ironport Config Diff"

pathtosshpass="/usr/bin"
pathtossh="/usr/bin"
pathtolftp="/usr/bin"
pathtomail="/usr/bin"

# create new config file
${pathtosshpass}/sshpass -p "${ironportpass}" ${pathtossh}/ssh -l "${ironportuser}" ${ironporthost} "saveconfig 0"

# fetch configuration files
cd ${configdir}
${pathtolftp}/lftp -u "${ironportuser}","${ironportpass}" -e "mget -E /configuration/*xml && exit" ${ironporthost}

# send diff of 2 latest files
files=`ls -t *.xml | head -2`
configdiff=`diff $files`

echo ${configdiff} | ${pathtomail}/mail -s "${emailsubject}" ${emailalert}

View solution in original post

Jernej Vodopivec · ‎01-05-2015

You can always export current config to xml and compare it with older xml configuration file with diff or similar application (notepad++ with compare plugin).

To automate this procedure maybe rancid could be modified in such way to support collecting ironport's config file-I havent tried it yet but I'll do it tomorrow.

Jernej Vodopivec · ‎01-06-2015

This script may help you: it creates configuration file, transfers it via FTP and sends diff between two latest config files to your email address:

#!/bin/bash

ironporthost="192.168.42.42"
ironportuser="admin"
ironportpass="password"

configdir="/home/ironport/backups"

emailalert="yourname@domain.tld"
emailsubject="Ironport Config Diff"

pathtosshpass="/usr/bin"
pathtossh="/usr/bin"
pathtolftp="/usr/bin"
pathtomail="/usr/bin"

# create new config file
${pathtosshpass}/sshpass -p "${ironportpass}" ${pathtossh}/ssh -l "${ironportuser}" ${ironporthost} "saveconfig 0"

# fetch configuration files
cd ${configdir}
${pathtolftp}/lftp -u "${ironportuser}","${ironportpass}" -e "mget -E /configuration/*xml && exit" ${ironporthost}

# send diff of 2 latest files
files=`ls -t *.xml | head -2`
configdiff=`diff $files`

echo ${configdiff} | ${pathtomail}/mail -s "${emailsubject}" ${emailalert}

jacksbox1 · ‎01-06-2015

That's very useful! I'll give it a try.

Thanks Jernej.

Jernej Vodopivec · ‎01-06-2015

You're most welcome. Please let me know how useful would the script be for you.

jacksbox1 · ‎01-06-2015

Hi Jernej,

I used your script and made some slight modifications for my environment. Not a bash expert by any means so forgive my mess.

- support multiple ironport devices by having a list of proxies stored in a text file

- only diff the config of the M160 device

- ignore the 'Current Time' line inside the config file, and send a notice even when there are no changes

Here it is:

#!/bin/bash

ironporthostlist=/opt/scripts/ironport/proxies
ironportuser="admin"
ironportpass="PASSWORD"

configdir="/opt/scripts/ironport/configs"

emailalert="email@email.com"
emailsubject="Ironport M160 Config Diff"

pathtosshpass="/usr/bin"
pathtossh="/usr/bin"
pathtolftp="/usr/bin"
pathtomail="/bin"

# create new config file
for i in `cat $ironporthostlist` ;
do ${pathtosshpass}/sshpass -p "${ironportpass}" ${pathtossh}/ssh -l "${ironportuser}" $i "saveconfig 0" ;
done

# fetch configuration files
cd ${configdir}
for i in `cat $ironporthostlist` ;
do ${pathtolftp}/lftp -u "${ironportuser}","${ironportpass}" -e "mget -E /configuration/*xml && exit" $i ;
done

# protect config files
chmod -R 600 /opt/scripts/ironport/configs

# send diff of 2 latest files
files=`ls -t M160-*.xml | head -2`
configdiff=`diff -I "Current Time:" $files`

if [ "${configdiff}" == "" ]
then
configdiff="No changes"
fi

echo ${configdiff} | ${pathtomail}/mail -s "${emailsubject}" ${emailalert}

Jernej Vodopivec · ‎01-06-2015

Great! Thanks for feedback!

Jernej Vodopivec · ‎02-13-2015

AsyncOS 9.0 bings a new cool feature: ssh public key authentication.

So you can optimize the script to run ssh command with native ssh client using just public key authentication, without hardcoding user's password to a script.

Just generate private&public key files using ssh-keygen (ssh-keygen -t rsa -b 2048) on a linux machine and configure ssh server on ironport (CLI->sshconfig->userkey->new and copy paste content of file containing public key).

Then you can run remote command just by executing 'ssh admin@ironport.domain.tld command' on a linux machine.

Possibility to audit/compare configuration changes on the Ironport?