Here's a simple slax commit script that expect a minimum junos config items. Any part of these items missing will prevent a successful commit action.
This will help if you do any accidental "delete" from a top hierarchy. This is a good practice if you have numerous admins and do not want them to delete critical parts of the junos configuration. You will have add what part of the configuration must be present.
kfelix@HOMESRX> file show protection.slax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
param $user;
/* Alerts on missing cfgs
*/
match configuration {
call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet/address, $statement = "interfaces lo0 unit 0 family inet address");
call error-if-present($must = interfaces/interface[name == "lo0"]/disable | interfaces/interface[name == "lo0"]/unit[name == "0"]/disable)
call error-if-present($must = security/policies/default-policy/permit-all) {
with $message = {
expr $user;
expr ", we do not want to enable permit-all. This over-ride the default action of a firewall which is to inplicit deny-all unless permitted .";
}
}
/* check for my mandatory admin users */
call error-if-missing($must = system/login/user/[name == "fwadmin1"], $statement = "missing a critical local admin account");
call error-if-missing($must = system/login/user/[name == "fsocadmin1"], $statement = "missing a critical local admin account");
/* check for missing syslog system syslog */
call error-if-missing($must = system/syslog, $statement = " missing syslog config ");
call error-if-missing($must = protocols/bgp, $statement = "protocols bgp");
call error-if-missing($must = protocols/ospf, $statement = "protocols ospf");
call error-if-missing($must = protocols/ospf3, $statement = "protocols ospf3");
call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet6/address, $statement = "interfaces lo0 unit 0 family inet6 address");
call error-if-missing($must = routing-options, $statement = "[edit routing-options]") {
with $message = {
expr "The [edit routing-options] is missing !!! ";
}
}
}
template error-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") {
if (not($must)) {
<xnm:error> {
<edit-path> {
copy-of $statement;
}
<message> {
copy-of $message;
}
}
}
}
template error-if-present ($must = 1, $message = "invalid configuration statement") {
/* give error if param missing */
for-each ($must) {
<xnm:error> {
call jcs:edit-path();
call jcs:statement();
<message> {
copy-of $message;
}
}
}
}
You just add the critical parts to the check for what you expect to be installed in the SRX firewall and give it a test run
kfelix@HOMESRX> configure
Entering configuration mode
[edit]
kfelix@HOMESRX# delete routing-options
[edit]
kfelix@HOMESRX# commit check
[edit routing-options]
The [edit routing-options] is missing !!!
error: 1 error reported by commit scripts
error: commit script failure
[edit]
Ken Felix
No comments:
Post a Comment