'set' Based OS Remediations #125

jtdub · 2024-01-13T03:33:46Z

fixes #103

"set" based operating systems can now be remediated in experimental capacity. Here is an example of a JunOS style remediation.

$ cat ./tests/fixtures/running_config_flat_junos.confset system host-name aggr-example.rtr

set firewall family inet filter TEST term 1 from source-address 10.0.0.0/29
set firewall family inet filter TEST term 1 then accept

set vlans switch_mgmt_10.0.2.0/24 vlan-id 2
set vlans switch_mgmt_10.0.2.0/24 l3-interface irb.2

set vlans switch_mgmt_10.0.4.0/24 vlan-id 3
set vlans switch_mgmt_10.0.4.0/24 l3-interface irb.3

set interfaces irb unit 2 family inet address 10.0.2.1/24
set interfaces irb unit 2 family inet description "switch_10.0.2.0/24"
set interfaces irb unit 2 family inet disable

set interfaces irb unit 3 family inet address 10.0.4.1/16
set interfaces irb unit 3 family inet filter input TEST
set interfaces irb unit 3 family inet mtu 9000
set interfaces irb unit 3 family inet description "switch_mgmt_10.0.4.0/24"


$ python3
Python 3.8.10 (default, Nov 22 2023, 10:22:35) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import yaml
>>> from hier_config import Host
>>>
>>> host = Host('example.rtr', 'junos')
>>> 
>>> # Build Hierarchical Configuration object for the Running Config
>>> host.load_running_config_from_file("./tests/fixtures/running_config_flat_junos.conf")
>>> 
>>> # Build Hierarchical Configuration object for the Generated Config
>>> host.load_generated_config_from_file("./tests/fixtures/generated_config_flat_junos.conf")
>>> 
>>> # Build and Print the all lines of the remediation config
>>> print(host.remediation_config_filtered_text({}, {}))
delete vlans switch_mgmt_10.0.4.0/24 vlan-id 3
delete vlans switch_mgmt_10.0.4.0/24 l3-interface irb.3
delete interfaces irb unit 2 family inet disable
delete interfaces irb unit 3 family inet address 10.0.4.1/16
delete interfaces irb unit 3 family inet description "switch_mgmt_10.0.4.0/24"
set vlans switch_mgmt_10.0.3.0/24 vlan-id 3
set vlans switch_mgmt_10.0.3.0/24 l3-interface irb.3
set vlans switch_mgmt_10.0.4.0/24 vlan-id 4
set vlans switch_mgmt_10.0.4.0/24 l3-interface irb.4
set interfaces irb unit 2 family inet filter input TEST
set interfaces irb unit 2 family inet mtu 9000
set interfaces irb unit 3 family inet address 10.0.3.1/16
set interfaces irb unit 3 family inet description "switch_mgmt_10.0.3.0/24"
set interfaces irb unit 4 family inet address 10.0.4.1/16
set interfaces irb unit 4 family inet filter input TEST
set interfaces irb unit 4 family inet mtu 9000
set interfaces irb unit 4 family inet description "switch_mgmt_10.0.4.0/24"

Configurations loaded into Hier Config as Juniper-style syntax are converted to a flat set based configuration format. Remediations are then rendered using this set style syntax.

$ cat ./tests/fixtures/running_config_junos.conf 
system {
    host-name aggr-example.rtr;
}

firewall {
    family inet {
        filter TEST {
            term 1 {
                from {
                    source-address 10.0.0.0/29;
                }
                then {
                    accept;
                }
            }
        }
    }
}

vlans {
    switch_mgmt_10.0.2.0/24 {
        vlan-id 2;
        l3-interface irb.2;
    }
    switch_mgmt_10.0.4.0/24 {
        vlan-id 3;
        l3-interface irb.3;
    }
}

interfaces {
    irb {
        unit 2 {
            family inet {
                address 10.0.2.1/24;
                description "switch_10.0.2.0/24";
                disable;
            }
        }
        unit 3 {
            family inet {
                address 10.0.4.1/16;
                filter {
                    input TEST;
                }
                mtu 9000;
                description "switch_mgmt_10.0.4.0/24";
            }
        }
    }
}

$ python3
Python 3.8.10 (default, Nov 22 2023, 10:22:35) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import yaml
>>> from hier_config import Host
>>> 
>>> host = Host('example.rtr', 'junos')
>>> 
>>> # Build Hierarchical Configuration object for the Running Config
>>> host.load_running_config_from_file("./tests/fixtures/running_config_junos.conf")
>>> 
>>> # Build Hierarchical Configuration object for the Generated Config
>>> host.load_generated_config_from_file("./tests/fixtures/generated_config_junos.conf")
>>> 
>>> # Build and Print the all lines of the remediation config
>>> print(host.remediation_config_filtered_text({}, {}))
delete vlans switch_mgmt_10.0.4.0/24 vlan-id 3
delete vlans switch_mgmt_10.0.4.0/24 l3-interface irb.3
delete interfaces irb unit 2 family inet description "switch_10.0.2.0/24"
delete interfaces irb unit 2 family inet disable
delete interfaces irb unit 3 family inet address 10.0.4.1/16
delete interfaces irb unit 3 family inet description "switch_mgmt_10.0.4.0/24"
set vlans switch_mgmt_10.0.3.0/24 vlan-id 3
set vlans switch_mgmt_10.0.3.0/24 l3-interface irb.3
set vlans switch_mgmt_10.0.4.0/24 vlan-id 4
set vlans switch_mgmt_10.0.4.0/24 l3-interface irb.4
set interfaces irb unit 2 family inet filter input TEST
set interfaces irb unit 2 family inet mtu 9000
set interfaces irb unit 2 family inet description "switch_mgmt_10.0.2.0/24"
set interfaces irb unit 3 family inet address 10.0.3.1/16
set interfaces irb unit 3 family inet description "switch_mgmt_10.0.3.0/24"
set interfaces irb unit 4 family inet address 10.0.4.1/16
set interfaces irb unit 4 family inet filter input TEST
set interfaces irb unit 4 family inet mtu 9000
set interfaces irb unit 4 family inet description "switch_mgmt_10.0.4.0/24"

Update build python versions Update build python versions Update experimental documentation Update readme and add options for sros and vyos add read the docs black formatting update delete negation rm sros work on junos remediation update per linting rm ; update tests update docs update docs add tests

jeffkala · 2024-01-16T14:30:29Z

Junos does support a edit stanza is the intention to use that in the future? Or always go the route of deleting then doing a new set?
example:

[edit]
user@host# edit protocols ospf area 0.0.0.0 
[edit protocols ospf area 0.0.0.0]
user@host# set interface so-0/0/0 hello-interval 5
[edit protocols ospf area 0.0.0.0]
user@host# delete 
Delete everything under this level? [yes, no] yes 
[edit protocols ospf area 0.0.0.0]
user@host# show
[edit]
user@host#

jtdub · 2024-01-16T15:12:01Z

@jeffkala - Currently, it's set and delete

jtdub marked this pull request as draft January 13, 2024 03:33

jtdub self-assigned this Jan 13, 2024

jtdub requested a review from aedwardstx January 13, 2024 03:41

jtdub changed the title ~~[WIP] JunOS Remediations~~ [WIP] 'set' Based OS Remediations Jan 13, 2024

jtdub marked this pull request as ready for review January 16, 2024 02:42

jtdub changed the title ~~[WIP] 'set' Based OS Remediations~~ 'set' Based OS Remediations Jan 16, 2024

jtdub force-pushed the junos-parse branch from 10ff817 to e982814 Compare January 16, 2024 03:25

update docs for juniper

9426017

jtdub merged commit 8c82375 into master Jan 16, 2024
3 checks passed

jtdub deleted the junos-parse branch January 16, 2024 19:53

Frazew mentioned this pull request Jun 5, 2024

feat(junos): improve _convert_to_set_commands #132

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

'set' Based OS Remediations #125

'set' Based OS Remediations #125

jtdub commented Jan 13, 2024 •

edited

Loading

jeffkala commented Jan 16, 2024

jtdub commented Jan 16, 2024

'set' Based OS Remediations #125

'set' Based OS Remediations #125

Conversation

jtdub commented Jan 13, 2024 • edited Loading

jeffkala commented Jan 16, 2024

jtdub commented Jan 16, 2024

jtdub commented Jan 13, 2024 •

edited

Loading