From 5f20e8ebdf229b07cea73a68d7b8422b42298603 Mon Sep 17 00:00:00 2001 From: Rick Donato Date: Tue, 28 Jul 2020 21:50:40 +0100 Subject: [PATCH] General updates --- acl_auditor/auditor.py | 15 ++++----------- data/asa.cfg | 8 ++------ data/flows.yml | 18 +++++++----------- docker-compose.yml | 2 +- 4 files changed, 14 insertions(+), 29 deletions(-) diff --git a/acl_auditor/auditor.py b/acl_auditor/auditor.py index 8184014..73bc3ec 100755 --- a/acl_auditor/auditor.py +++ b/acl_auditor/auditor.py @@ -5,7 +5,6 @@ import os import sys -from dotenv import load_dotenv from pybatfish.client.commands import bf_session from pybatfish.question import bfq from pybatfish.question.question import load_questions @@ -16,19 +15,15 @@ generate_html_report, ) -load_dotenv() logging.getLogger("pybatfish").setLevel(logging.CRITICAL) class ACLAuditor: - def __init__(self, config_file, batfish_host): - self.init_session(batfish_host) - self.config_file = config_file - - def init_session(self, batfish_host): - bf_session.host = batfish_host + def __init__(self, config_file): + bf_session.host = "127.0.0.1" load_questions() + self.config_file = config_file def _create_base_snapshot(self): bf_session.init_snapshot_from_text( @@ -84,8 +79,6 @@ def get_unreachable_lines(self): if __name__ == "__main__": - batfish_host = os.getenv("BATFISH_SERVICE_HOST") - parser = argparse.ArgumentParser(description="Batfish ACL Auditor") parser.add_argument( "-c", @@ -105,7 +98,7 @@ def get_unreachable_lines(self): args = vars(parser.parse_args()) config = read_file(args["device_config"]) - acl_auditor = ACLAuditor(config, batfish_host) + acl_auditor = ACLAuditor(config) filter_compare_results = str() unreachable_results = str() diff --git a/data/asa.cfg b/data/asa.cfg index d0ec920..2921739 100644 --- a/data/asa.cfg +++ b/data/asa.cfg @@ -57,14 +57,10 @@ dns server-group DefaultDNS domain-name packetflow.local same-security-traffic permit inter-interface access-list acl-inside extended deny ip any4 any4 -access-list acl-inside extended permit udp host 10.0.2.1 host 8.8.8.8 eq ntp access-list acl-inside extended permit udp host 10.0.2.1 host 8.8.8.8 eq domain -access-list acl-inside extended permit udp host 10.0.2.1 host 8.8.4.4 eq ntp access-list acl-inside extended permit udp host 10.0.2.1 host 8.8.4.4 eq domain -access-list acl-webfarm extended permit tcp host 10.0.1.1 host 10.0.2.1 eq 3306 -access-list acl-webfarm extended permit udp host 10.0.1.1 host 8.8.8.8 eq ntp +access-list acl-webfarm extended permit tcp any host 10.0.2.1 eq 3306 access-list acl-webfarm extended permit udp host 10.0.1.1 host 8.8.8.8 eq domain -access-list acl-webfarm extended permit udp host 10.0.1.1 host 8.8.4.4 eq ntp access-list acl-webfarm extended permit udp host 10.0.1.1 host 8.8.4.4 eq domain access-list acl-webfarm extended deny ip any4 any4 access-list acl-outside extended permit tcp any4 host 10.0.1.1 eq www @@ -226,4 +222,4 @@ call-home destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination transport-method http Cryptochecksum:ea1e58d34590afa6687e169dfc31f4c7 -: end \ No newline at end of file +: end diff --git a/data/flows.yml b/data/flows.yml index 2ebe4f8..f8b2b93 100644 --- a/data/flows.yml +++ b/data/flows.yml @@ -1,15 +1,11 @@ --- -- source_ip: 11.36.216.176/32 - dest_ip: 11.36.216.0/24 - proto: ip +- source_ip: 10.0.1.1/32 + dest_ip: 8.8.8.8/32 + dest_port: 53 + proto: udp action: permit - name: from-11-36-216-176 -- source_ip: 10.36.176.0/24 - dest_ip: 11.20.0.0/16 - dest_port: 1000-20000 +- source_ip: 10.0.1.1/32 + dest_ip: 10.200.1.1/32 + dest_port: 3306 proto: tcp action: permit -- source_ip: 0.0.0.0/0 - dest_ip: 0.0.0.0/0 - proto: ip - action: permit \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 3cdfa2a..99932ae 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,6 @@ version: '3.5' services: - acl_auditor: + ntc-soteria: container_name: acl_auditor build: context: .