■Fortigateのコンフィグセクションを検索するfsecを作ってみる。
以下lsecのfortigate版があると便利だと思ったので。
https://github.com/labunix/lsec
■Fortigateのコンフィグを取得
$ ssh admin@172.31.31.XXX "show" > sample.conf
■configとeditをセクションとして、改行を「__」に変換することで行検索を可能にする。
その後、「line=」で元のファイルの行数を表示して該当セクションを出力する。
$ awk 'BEGIN{c=0} \
{if($0 ~ /config/){c++;b[c]=NR}else{if($0 ~ / edit/){c++;b[c]=NR}}} \
{a[c]=a[c]"__"$0} \
END{for(n=0;n<=c;n++){if(a[n] ~ /DMZ-RDP/){gsub("__","\n",a[n]);print "line="b[n],a[n]}}}' sample.conf
line=2921
edit "DMZ-RDP"
set uuid 56837de6-7bb4-51ea-fa32-431b9167bd17
set extip 192.168.102.101
set extintf "dmz"
set portforward enable
set mappedip "172.31.31.92"
set extport 8389
set mappedport 3389
next
end
line=3448
edit 15
set name "dmz-rdp"
set uuid 69cd7adc-7bb4-51ea-167c-11d04007c680
set srcintf "dmz"
set dstintf "lan"
set srcaddr "dmz-seg"
set dstaddr "DMZ-RDP"
set action accept
set schedule "always"
set service "RDP"
set logtraffic all
next
■上記の変数となるのが、ファイル名と検索ワードなので、
必要な引数がなければ以下のようにエラーを出すことにする。
$ ./fsec ;echo $?
Usage:./fsec {filename} {search word}
1
$ ./fsec sample.conf ;echo $?
Usage:./fsec {filename} {search word}
1
■文法が合っていても、ファイルが存在しなければエラー。
$ ./fsec sample.config test ;echo $?
Usage:./fsec {filename} {search word}
1
■sample.confから、DMZ-RDPを検索する例。
$ ./fsec sample.conf DMZ-RDP
line=2921
edit "DMZ-RDP"
set uuid 56837de6-7bb4-51ea-fa32-431b9167bd17
set extip 192.168.102.101
set extintf "dmz"
set portforward enable
set mappedip "172.31.31.92"
set extport 8389
set mappedport 3389
next
end
line=3448
edit 15
set name "dmz-rdp"
set uuid 69cd7adc-7bb4-51ea-167c-11d04007c680
set srcintf "dmz"
set dstintf "lan"
set srcaddr "dmz-seg"
set dstaddr "DMZ-RDP"
set action accept
set schedule "always"
set service "RDP"
set logtraffic all
next
■config firewall vipの行数を検索。
grep等でも代用できるけど、いちいちやり方を変えるのも面倒なので。
$ ./fsec sample.conf config firewall vip
line=2909
config firewall vip
■tcp-portrange 445の検索、続けてSMBの検索。
$ ./fsec sample.conf tcp-portrange 445
line=1272
edit "SMB"
set category "File Access"
set tcp-portrange 445
next
$ ./fsec sample.conf SMB
line=1272
edit "SMB"
set category "File Access"
set tcp-portrange 445
next
line=1318
edit "Windows AD"
set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB"
next
■Windows ADの一部がどこにあるかor検索。
$ ./fsec sample.conf "DCE-RPC|KERBEROS|LDAP|SAMBA"
line=1015
edit "LDAP"
set category "Authentication"
set tcp-portrange 389
next
line=1076
edit "DCE-RPC"
set category "Remote Access"
set tcp-portrange 135
set udp-portrange 135
next
line=1130
edit "SAMBA"
set category "File Access"
set tcp-portrange 139
next
line=1263
edit "KERBEROS"
set category "Authentication"
set tcp-portrange 88 464
set udp-portrange 88 464
next
line=1268
edit "LDAP_UDP"
set category "Authentication"
set udp-portrange 389
next
line=1318
edit "Windows AD"
set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB"
next
line=1321
edit "Exchange Server"
set member "DCE-RPC" "DNS" "HTTPS"
next
end
■作ったfsec
$ w3m -dump https://raw.githubusercontent.com/labunix/lsec/master/fsec
if [ -f "$1" ] && [ $# -gt 1 ];then
FILE=$1
shift
WORD="$@"
awk -v word="$WORD" \
'BEGIN{c=0} \
{if($0 ~ /config/){c++;b[c]=NR} \
else{if($0 ~ / edit/){c++;b[c]=NR}}} \
{a[c]=a[c]"__"$0} \
END{for(n=0;n<=c;n++) \
{if(a[n] ~ word){gsub("__","\n",a[n]);print "line="b[n],a[n]}}}' $FILE
else
echo "Usage:$0 {filename} {search word}" >&2
exit 1
fi
