Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Citrix NetScaler Parser #153

Merged
merged 8 commits into from
Oct 27, 2022
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/dev/include_parser_list.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
| cisco_asa | netutils.config.parser.ASAConfigParser |
| cisco_ios | netutils.config.parser.IOSConfigParser |
| cisco_nxos | netutils.config.parser.NXOSConfigParser |
| citrix_netscaler | netutils.config.parser.NetscalerConfigParser |
| fortinet_fortios | netutils.config.parser.FortinetConfigParser |
| juniper_junos | netutils.config.parser.JunosConfigParser |
| linux | netutils.config.parser.LINUXConfigParser |
Expand Down
1 change: 1 addition & 0 deletions netutils/config/compliance.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
"cisco_asa": parser.ASAConfigParser,
"fortinet_fortios": parser.FortinetConfigParser,
"nokia_sros": parser.NokiaConfigParser,
"citrix_netscaler": parser.NetscalerConfigParser,
}

# TODO: Once support for 3.7 is dropped, there should be a typing.TypedDict for this which should then also be used
Expand Down
12 changes: 12 additions & 0 deletions netutils/config/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -1172,3 +1172,15 @@ def config_lines_only(self) -> str:
config_lines.append(line.rstrip())
self._config = "\n".join(config_lines)
return self._config


class NetscalerConfigParser(BaseSpaceConfigParser):
"""Netscaler config parser."""

comment_chars: t.List[str] = []
banner_start: t.List[str] = []

@property
def banner_end(self) -> str:
"""Demarcate End of Banner char(s)."""
raise NotImplementedError("Netscaler platform doesn't have a banner.")
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
#NS13.0 Build 84.11
# Last modified Fri Dec 31 12:00:01 2021
set system parameter -promptString "%u@%h-%T" -maxClient 40 -doppler DISABLED
set ns httpProfile nshttp_default_profile -dropInvalReqs ENABLED
set ns param -timezone "GMT+00:00-UTC"
set ssl service nshttps-::1l-443 -ssl3 disabled -tls1 disabled
set ssl service nshttps-127.0.0.1-443 -ssl3 disabled -tls1 disabled
set ssl parameter -defaultProfile ENABLED
enable ns feature WL SP LB CS SSL CF REWRITE RESPONDER
add route 192.168.0.0 255.255.0.0
set ns encryptionParams -method AES256 -keyValue abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string
set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900
set HA node -failSafe ON
set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1
set ns rpcNode 203.0.113.1 -password abcdef1234 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix some_string -srcIP 203.0.113.1
add authentication tacacsAction AAA_ACT_TACACS_01 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof
add authentication tacacsAction AAA_ACT_TACACS_02 -serverIP 203.0.113.1 -authTimeout 10 -tacacsSecret abcdef1234 -authorization OFF -accounting ON -groupAttrName memberof
add authentication Policy AAA_POL_TACACS_01 -rule true -action AAA_ACT_TACACS_01
add authentication Policy AAA_POL_TACACS_02 -rule true -action AAA_ACT_TACACS_02
bind system global AAA_POL_TACACS_01 -priority 10 -gotoPriorityExpression NEXT
bind system global AAA_POL_TACACS_02 -priority 20 -gotoPriorityExpression NEXT
add system group Admin -timeout 900
bind system group Admin -policyName superuser 100
add system group Support -timeout 900
bind system group Support -policyName XX-CMD-read-only 100
bind system group Support -policyName XX-CMD-partition-read-only 110
add system group Networking -timeout 900
bind system group Networking -policyName XX-CMD-operator 100
bind system group Networking -policyName XX-CMD-partition-operator 110
add system cmdPolicy XX-CMD-read-only ALLOW (^man.*)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-operator ALLOW (^show.*)|(^stat.*)|(^(enable|disable) (server|service).*)
add system cmdPolicy XX-CMD-partition-read-only ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)
add system cmdPolicy XX-CMD-partition-operator ALLOW (^man.*)|(^switch)|(^show\s+(\?!system)(\?!configstatus)(\?!audit messages)(\?!techsupport).*)|(^stat.*)|(^(enable|disable) (server|service).*)
set audit syslogParams -userDefinedAuditlog YES
set audit nslogParams -userDefinedAuditlog YES
add audit syslogAction sys_act_fdi_rsyslog 203.0.113.1 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -timeZone LOCAL_TIME -userDefinedAuditlog YES -transport UDP
add audit syslogPolicy sys_pol_fdi true sys_act_fdi_rsyslog
bind audit syslogGlobal -policyName sys_pol_fdi -priority 2000000010
set snmp alarm CPU-USAGE -thresholdValue 95 -normalValue 35 -severity Informational
set snmp alarm HA-STATE-CHANGE -severity Informational
set snmp alarm IP-CONFLICT -severity Warning
set snmp alarm MEMORY -thresholdValue 95 -normalValue 35 -severity Critical
set snmp alarm POWER-SUPPLY-FAILURE -severity Minor
set snmp alarm SSL-CARD-FAILED -severity Minor
set snmp alarm SSL-CERT-EXPIRY -severity Warning
add snmp view READ 1 -type included
add snmp group NETMON-GROUP authpriv -readViewName READ
add snmp user monitoring -group NETMON-GROUP -authType SHA -authpasswd abcdef1234 -privType AES -privpasswd abcdef1234
add ssl cipher XX-CIPHER-GROUP_1.0_v01
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
jdrew82 marked this conversation as resolved.
Show resolved Hide resolved
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-ECDHE-RSA-AES128-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-256-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName TLS1-AES-128-CBC-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v01 -cipherName SSL3-DES-CBC3-SHA
add ssl cipher XX-CIPHER-GROUP_1.2_v01
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.2_v01 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
add ssl cipher XX-CIPHER-GROUP_1.2_v02
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES256-SHA
bind ssl cipher XX-CIPHER-GROUP_1.0_v03 -cipherName TLS1-ECDHE-RSA-AES128-SHA
add ssl cipher XX-CIPHER-LIST_256
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 1
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384 -cipherPriority 2
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 3
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES256-GCM-SHA384 -cipherPriority 4
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1.2-AES-256-SHA256 -cipherPriority 5
bind ssl cipher XX-CIPHER-LIST_256 -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 6
add ssl profile XX-SSL-Profile_1.0_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v01 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg ALL
add ssl profile XX-SSL-Profile_1.2_v02 -eRSA ENABLED -eRSACount 1800 -sessReuse ENABLED -sessTimeout 1800 -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -denySSLReneg NONSECURE
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
features = [
{"name": "user", "ordered": False, "section": ["set system user "]},
jdrew82 marked this conversation as resolved.
Show resolved Hide resolved
]
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"user": {
"actual": "set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900",
"cannot_parse": true,
"compliant": true,
"extra": "",
"intended": "set system user nsroot abcdef1234 -encrypted -hashmethod SHA512 -externalAuth DISABLED -timeout 900",
"missing": "",
"ordered_compliant": true,
"unordered_compliant": true
}
}
Loading