Update to RTRBK - Diff and File Dates in PowerShell
I use my RTRBK script pretty much every week, every single time that I work with a client that doesn't have their network gear in a backup cycle in fact. (for a review of this tool, see the original post https://isc.sans.edu/diary/RTRBK+Router+Switch+Firewall+Backups+in+PowerShell+tool+drop/22079 )
Anyway, I was considering how I could improve this script, aside from adding more and more device types to the backups. A "diff" report was my obvious first thought - why didn't I have this in there from the start?
Diffing your nightly config backups allows you to:
- ensure that config changes aren't being made outside of your change control process
- ensure that ONLY the approved changes are implemented
- if you compare changes to the login events in your syslog, you can verify that the right people / right accounts are logging in to make these changes
How to do this in powershell? It turns out that it's native to the language, and implemented two ways. Let's compare a (much) older backup file with the current backup.
First, this is the "looks like regular PowerShell" version of the command:
Compare-Object (Get-Content .\ASA01.2021-31-07-09-31.cfg.bk) (get-content ./ASA01.cfg)
Or, to redirect it to a file:
Compare-Object (Get-Content .\ASA01.2021-31-07-09-31.cfg.bk) (get-content ./ASA01.cfg) > ASA01.diff.txt
A second way to skin this cat uses a different version of the command, but calls the exact same code under the covers and gives you the exact same output, but might be easier to remember and "friendlier" to folks who are coming to PowerShell from a *nix background:
diff (cat .\ASA01.2021-31-07-09-31.cfg.bk) (cat .\ASA01.cfg)
Some typical output of this "diff" command might look like:
----------- ---
show startup =>
: Written by rvandenbrink at 20:56:23.320 EST Mon Dec 12 2022 =>
ASA Version 9.14(4) =>
enable password ***** pbkdf2 =>
passwd ***** encrypted =>
boot system disk0:/asa9-16-3-23-lfbff-k8.SPA =>
boot system disk0:/asa9-14-4-lfbff-k8.SPA =>
access-list VPNGRP_splitTunnelAcl standard permit 172.16.99.0 255.255.255.0 =>
asdm image disk0:/asdm-7181-152.bin =>
key ***** =>
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-aes esp-sha-hmac =>
protocol esp integrity sha-1 =>
protocol esp integrity sha-1 =>
protocol esp integrity sha-1 =>
protocol esp encryption aes =>
protocol esp integrity sha-1 =>
protocol esp encryption aes =>
protocol esp integrity sha-1 =>
crypto ipsec df-bit clear-df outside =>
group 19 5 =>
group 5 =>
group 5 =>
: Written by rvandenbrink at 15:50:38.181 EST Fri Feb 19 2021 <=
ASA Version 9.12(4)2 <=
enable password $sha512$5000$idL1fwSW4iN+O1ZY/2ajsA==$dZm2YBtjqLe4ulG9sPCWjw== pbkdf2 <=
passwd tIBh8hSmm6StbwU0 encrypted <=
<=
boot system disk0:/asa9-12-4-2-lfbff-k8.SPA <=
asdm image disk0:/asdm-openjre-7141-48.bin <=
asdm location GMPDC01 255.255.255.255 inside <=
key 4QTW595wxHNkdmhTrmWe <=
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac <=
protocol esp integrity sha-1 md5 <=
protocol esp integrity sha-1 md5 <=
protocol esp integrity sha-1 md5 <=
protocol esp encryption 3des <=
protocol esp integrity sha-1 md5 <=
protocol esp encryption des <=
protocol esp integrity sha-1 md5 <=
group 19 5 2 <=
group 5 2 <=
group 5 2 <=
As can be seen from the above output, there's been an ASA version update, which in turn "retired" a number of IPSEC (ESP) algorithms and DH (Diffie Hellman) groups. These were all expected changes, and had to be reflected at the other end of the VPN tunnel during the update.
Another useful bit of manipulation is to rename a file based on it's last modified date and time (which in this case should always be the creation date and time) - this gives me a file that I can DIFF against. In this code snip, we look for the device backup file. If it exists we rename it by its create date and time (yy-MM-dd-hh-mm), so that we can then save the new backup using just the device name.
# backup filename
$fname = $dev.name+".cfg"
# does that file exist
if (test-path $fname) {
# if so, rename it by it's creation date and time
$d = (gci $fname).lastwritetime
$rfname = $d.tostring("yyyy-MM-dd-hh-mm") +"-" + $fname
rename-item $fname $rfname
}
#save the new backup file
out-file -filepath $fname -inputobject $cfg
# diff new and old files
Compare-Object (Get-Content $rfname) (get-content $fname) > $dev.name + ".diff.txt"
I've updated my rtrbk.ps1 script for those of you who have found this useful, I've also added Juniper (JunOS) and Cisco "small business" switches to the mix of devices. You can find it as always on my github: https://github.com/robvandenbrink
This script currently does most of what I need for my client-base (those who don't have a more fully featured NMS / device config backup solution). If you have a feature you'd like to see added, or more devices you'd like to see covered in this script by all means let me know in the comments section.
===============
Rob VandenBrink
rob@coherentsecurity.com
Comments