Oxidized

Installation using docker

Clone git repo

git clone https://github.com/ytti/oxidized

Build container locally

docker build -q -t oxidized:latest oxidized/

Create a configuration directory

mkdir /etc/oxidized

Run the container for the first time to initialize the config or copy config file over to configuration directory:

docker run --rm -v /etc/oxidized:/root/.config/oxidized -p 8888:8888/tcp -t oxidized:latest

Create the /etc/oxidized/router.db (see CSV Source for further info)

Run container again with new configuration

docker run -v /etc/oxidized:/root/.config/oxidized -p 8888:8888/tcp -t oxidized:latest

Run container with reloaded configuration frequently

docker run -v /etc/oxidized:/root/.config/oxidized -p 8888:8888/tcp -e CONFIG_RELOAD_INTERVAL=3600 -t oxidized:latest

Some issues

Container can’t boot due to a server is already running

Container can’t run due to oxidized | A server is already running. Check /root/.config/oxidized/pid
Reason: a pid file is existed in oxidized configuration folder
Temporary Solution: remove pid file and start container again
Permanent Solution: create a script file to remove pid file before running oxidized and run it as startup script

/etc/oxidized/startup.sh on host
#!/bin/sh
rm /root/.config/oxidized/pid
oxidized

Then
chmod 755 /etc/oxidized/startup.sh

To run oxidized container with this script
docker run -it --name oxidized -v /etc/oxidized:/root/.config/oxidized -v /etc/localtime:/etc/localtime:ro -p 8888:8888/tcp -t oxidized:latest /root/.config/oxidized/startup.sh

Creating and Extending Model

Extending model to support CheckPoint Gaia OS SP

Create a file named: /etc/oxidized/model/gaiossp.rb with content

class GaiaOSSP < Oxidized::Model
  # CheckPoint - Gaia OS Model

  # Gaia Prompt
  prompt /^([\[.*\]\s\w.@:-]+[#>]\s?)$/

  # Comment tag
  comment  '# '

  cmd :all do |cfg|
    cfg.cut_both
  end

  cmd :secret do |cfg|
    cfg.gsub! /^(set expert-password-hash ).*/, '\1<EXPERT PASSWORD REMOVED>'
    cfg.gsub! /^(set user \S+ password-hash ).*/, '\1<USER PASSWORD REMOVED>'
    cfg.gsub! /^(set ospf .* secret ).*/, '\1<OSPF KEY REMOVED>'
    cfg.gsub! /^(set snmp community )(.*)( read-only.*)/, '\1<SNMP COMMUNITY REMOVED>\3'
    cfg.gsub! /^(add snmp .* community )(.*)(\S?.*)/, '\1<SNMP COMMUNITY REMOVED>\3'
    cfg.gsub! /(auth|privacy)(-pass-phrase-hashed )(\S*)/, '\1-pass-phrase-hashed <SNMP PASS-PHRASE REMOVED>'
    cfg
  end

  cmd 'set clienv rows 0' do |cfg|
    comment cfg
  end

  cmd 'show version all' do |cfg|
    comment cfg
  end

  cmd 'show configuration' do |cfg|
    cfg.gsub! /^# Exported by \S+ on .*/, '# '
    cfg
  end

  cfg :ssh do
    # User shell must be /etc/cli.sh
    post_login 'set config-lock on override'
    pre_logout 'exit'
  end
end

Extending FortiOS Model to support FortiManager and FortiAnalyzer

Create a file named: /etc/oxidized/model/fortiman.rb with content

class FortiMAN < Oxidized::Model
  comment '# '

  prompt /^([-\w.~]+(\s[(\w\-.)]+)?~?\s?[#>$]\s?)$/

  expect /^--More--\s$/ do |data, re|
    send ' '
    data.sub re, ''
  end

  cmd :all do |cfg, cmdstring|
    new_cfg = comment "COMMAND: #{cmdstring}\n"
    new_cfg << cfg.each_line.to_a[1..-2].map { |line| line.gsub(/(conf_file_ver=)(.*)/, '\1<stripped>\3') }.join
  end

  cmd :secret do |cfg|
    # ENC indicates an encrypted password, and secret indicates a secret string
    cfg.gsub! /(set .+ ENC) .+/, '\\1 <configuration removed>'
    cfg.gsub! /(set .*secret) .+/, '\\1 <configuration removed>'
    # A number of other statements also contains sensitive strings
    cfg.gsub! /(set (?:passwd|password|key|group-password|auth-password-l1|auth-password-l2|rsso|history0|history1)) .+/, '\\1 <configuration removed>'
    cfg.gsub! /(set md5-key [0-9]+) .+/, '\\1 <configuration removed>'
    cfg.gsub! /(set private-key ).*?-+END (ENCRYPTED|RSA|OPENSSH) PRIVATE KEY-+\n?"$/m, '\\1<configuration removed>'
    cfg.gsub! /(set ca ).*?-+END CERTIFICATE-+"$/m, '\\1<configuration removed>'
    cfg.gsub! /(set csr ).*?-+END CERTIFICATE REQUEST-+"$/m, '\\1<configuration removed>'
    cfg
  end


  post do
    cfg = []

    cfg << cmd('get system status') do |cfg_hw|
      comment cfg_hw
    end

    cfg << cmd('show')
    cfg.join "\n"
  end

  cfg :telnet do
    username /login:/
    password /^Password:/
  end

  cfg :telnet, :ssh do
    pre_logout "exit\n"
  end
end

Reference

https://github.com/ytti/oxidized
https://packetpushers.net/install-oxidized-network-configuration-backup/
https://codingpackets.com/blog/oxidized-getting-started/

PreviousOpenVPN NextRancid

Last updated 2 years ago

hashtagInstallation using docker

hashtagClone git repo

hashtagBuild container locally

hashtagCreate a configuration directory

hashtagRun the container for the first time to initialize the config or copy config file over to configuration directory:

hashtagRun container again with new configuration

hashtagRun container with reloaded configuration frequently

hashtagSome issues

hashtagContainer can’t boot due to a server is already running

hashtagCreating and Extending Model

hashtagExtending model to support CheckPoint Gaia OS SP

hashtagExtending FortiOS Model to support FortiManager and FortiAnalyzer

hashtagReference

Installation using docker

Clone git repo

Build container locally

Create a configuration directory

Run the container for the first time to initialize the config or copy config file over to configuration directory:

Run container again with new configuration

Run container with reloaded configuration frequently

Some issues

Container can’t boot due to a server is already running

Creating and Extending Model

Extending model to support CheckPoint Gaia OS SP

Extending FortiOS Model to support FortiManager and FortiAnalyzer

Reference