using CiscoConfParse to find ACL applied to VTY and then check ACL for log statement

Question

I have the code to find the name of the 'access-class' on the 'line vty'

After that I am able to find the ACL but then I want to check each line of the ACL to verify that the 'deny' and 'permit' statements have the 'log' keyword. And print a report of OPEN if there is no 'log' statement or NOT A FINDING if there is a 'log' statement on the entry.

And this is where I am at a loss for how to parse through the ACL statements, whether I can use something from CiscoConfParse or more standard python to do the job?

#Importing the necessary modules.
import sys
from sys import argv
#Importing the necessary modules. 
from ciscoconfparse import CiscoConfParse
import sys
import argparse

def check_VTY_ACL_NET1637():
## Search for LINE VTY access-list name then check if that ACL has    log keyword
#
    for VTY_ACL in parse.find_children_w_parents('line vty', 'access-class'):
        #print(VTY_ACL[14])
        VTY_ACL = VTY_ACL.lstrip('access-class ')
        #print (VTY_ACL)
        VTY_ACL_2 = VTY_ACL.rstrip(' in')
        #print(VTY_ACL_R)
        #has_ACL_in = VTY_ACL.find_lines(r'access-class')
        #print(has_ACL_in)
        #for IP_ACL_LIST in parse.find_objects_w_child(VTY_ACL_R, 'log'):
        #for IP_ACL_LIST in parse.find_lines(VTY_ACL_R):
        for IP_ACL_LIST in parse.find_parents_w_child(VTY_ACL_2, ''):
            #print(IP_ACL_LIST)
            #IP_ACL_ACE = parse.has_line_with(' log')
            IP_ACL_ACE = parse.find_children_w_parents(IP_ACL_LIST, '')
            #print(IP_ACL_ACE)
            has_log_keyword = parse.has_line_with(r' log')
            #print(has_log_keyword)
            #
            #has_log_keyword = has_log_keyword.split()
            for log in IP_ACL_ACE:
                #print (log)
                #has_not_log_keyword = parse.has_line_with(r'. log')
                #print(has_not_log_keyword)
                keyword_log = 'log'
                keyword_permit = 'permit'
                keyword_deny = 'deny'
                log = log.split()
                print (log)
                if (not keyword_log):
                   print('OPEN LINE VTY')
                else:
                   print("Not a Finding: 'NET-VLAN-023'" )


# Main starting of script
def start():
script, input_file = argv
global parse
parse = CiscoConfParse (input_file)
print("Opening config file: %r\n" % input_file)
check_VTY_ACL_NET1637()

def main():
args = sys.argv[1:]
if len(args) == 1:
    start()
#else:
    #usage()

if __name__ == "__main__":
main()

here is the sample configuration file I am using with the ACL on the VTY

Current configuration : 25432 bytes
!
ip access-list extended SSH2-IN
 remark ///\\\///\\\///\\\///\\\///\\\///\\\///
 remark ///\\\***DEC 8 2015***///\\\
 remark SomeSite //VoSIP //
 remark ******************************************
 permit ip 10.227.2.128 0.0.0.63 any
 permit tcp 43.81.133.0 0.0.0.255 any eq 22 log
 deny   ip any any
!
line vty 0 4
 access-class SSH2-IN in
line vty 5 15
access-class SSH2-IN in
!
end

Answer 1

I wrote up a proof of concept on this:

#!/usr/bin/env python

import re
from ciscoconfparse import CiscoConfParse

def main():
    cisco_file = 'cisco_ipsec.txt'
    cisco_cfg = CiscoConfParse(cisco_file)
    vty_acl = cisco_cfg.find_objects(r'access-class')

    # Find the ACL name
    acl_name = ''
    for entry in vty_acl:
        if 'line vty' in entry.parent.text:
            match = re.search(r'access-class (.*) in', entry.text)
            if not acl_name:
                acl_name = match.group(1)
            else:
                new_acl_name = match.group(1)
                if new_acl_name != acl_name:
                    raise ValueError("ACL names do not match")

    if not acl_name:
        raise ValueError("ACL not found under line vty")

    the_acl = r"ip access-list extended {}".format(acl_name)
    acl_object = cisco_cfg.find_objects(the_acl)[0]

    # Parse the ACL lines looking for 'log' keyword    
    log_lines = []
    no_log_lines = []
    for line in acl_object.all_children:
        if 'permit' in line.text or 'deny' in line.text:
            if 'log' in line.text:
                log_lines.append(line.text)
            else:
                no_log_lines.append(line.text)

    print "\nLines with log"
    print '#' * 50
    for line in log_lines:
        print line
    print '#' * 50

    print "\nLines without log"
    print '#' * 50
    for line in no_log_lines:
        print line
    print '#' * 50
    print


if __name__ == "__main__":
    main()

At a general level, I first find the ACL name. I then go through each line of the ACL looking for permit or deny and then the log keyword. From this I create two lists: "log_lines" and "no_log_lines". Finally, I print these two the screen.

FYI, it would help when posting code like the above to strip out commented code. It just clutters up what you are doing.

Answer 2

from ciscoconfparse import CiscoConfParse

input_file = 'some_site.conf'
parse = CiscoConfParse(input_file)

## Build a list of vty ACLs here (and flag if a vty doesn't have one)
vty_acl_names = set([])
for vtyobj in parse.find_objects(r'^line\svty'):

    vty_acl_name = vtyobj.re_match_iter_typed('access-class\s+(\S+)\s+in', 
        result_type=str, default="")

    if not vty_acl_name:
        print "FAIL: '{0}' doesn't have an ACL".format(vtyobj.text)
    else:
        vty_acl_names.add(vty_acl_name)

## Check ACL log compliance here (and ensure the ACL is even in the config)
for vty_acl_name in vty_acl_names:
    try:
        aclobj = parse.find_objects(r'ip\s+access-list\s+extended\s+{0}'.format(vty_acl_name))[0]
    except IndexError:
        print "FAIL: ACL {0} is applied to a vty, but it's missing from the config!".format(vty_acl_name)
    ## NOTE: this only works if you are using extended ACLs on the VTY
    for ace in aclobj.children:

        if 'remark' in ace.text:
            continue
        if 'log' in ace.text:
            print "NOT A FINDING - ACL {0}, ACE: {1}".format(vty_acl_name, ace.text)
        else:
            print "OPEN (no log) - ACL {0}, ACE: {1}".format(vty_acl_name, ace.text)

When I run it on your config I get this output:

(py27_default) mpenning@MPENNING-BRIX C:\Users\mpenning
> python garrybaker.py
FAIL: 'line vty 5 15' doesn't have an ACL
OPEN (no log) - ACL SSH2-IN, ACE:  permit ip 10.227.2.128 0.0.0.63 any
NOT A FINDING - ACL SSH2-IN, ACE:  permit tcp 43.81.133.0 0.0.0.255 any eq 22 log
OPEN (no log) - ACL SSH2-IN, ACE:  deny   ip any any

(py27_default) mpenning@MPENNING-BRIX C:\Users\mpenning
>

I took the liberty of adding to your requirements... I flag vty lines that don't have an ACL.

Now, you might ask "Why did it say that 'line vty 5 15' doesn't have an ACL, because I put it in the config? It's because I used re_match_iter_typed(), which only searches children of the parent line... when you input a config like this, CiscoConfParse will not associate the access-class with the parent vty line on 5 15, because the access-class line is not indented more than line vty 5 15:

line vty 0 4
 access-class SSH2-IN in
line vty 5 15
access-class SSH2-IN in
!

Indentation matters (a lot) to CiscoConfParse... you have to know your inputs... if you can't depend on people to indent their configs, then use the method in Kirk's answer :-)