oxidized 0.27.0 → 0.28.0

data/docs/Configuration.md

@@ -16,6 +16,8 @@ input:
   debug: true
   ssh:
     secure: false
+  http:
+    ssl_verify: true
 ```
 
 ## Privileged mode
@@ -82,7 +84,7 @@ vars:
 
 ## Public Key Authentication with SSH
 
-Instead of password-based login, Oxidized can make use of key-based SSH authentication. 
+Instead of password-based login, Oxidized can make use of key-based SSH authentication.
 
 You can tell Oxidized to use one or more private keys globally, or specify the key to be used on a per-node basis. The latter can be done by mapping the `ssh_keys` variable through the active source.
 
@@ -306,5 +308,6 @@ resolve_dns: false
 ## Environment variables
 
 You can use some environment variables to change default root directories values.
+
 * `OXIDIZED_HOME` may be used to set oxidized configuration directory, which defaults to `~/.config/oxidized`
 * `OXIDIZED_LOGS` may be used to set oxidzied logs and crash directories root, which default to `~/.config/oxidized`

data/docs/Hooks.md

@@ -168,6 +168,7 @@ hooks:
     token: SLACK_BOT_TOKEN
     channel: "#network-changes"
 ```
+
 The token parameter is a "legacy token" and is generated [Here](https://api.slack.com/custom-integrations/legacy-tokens).
 
 Optionally you can disable snippets and post a formatted message, for instance linking to a commit in a git repo. Named parameters `%{node}`, `%{group}`, `%{model}` and `%{commitref}` are available.

data/docs/Model-Notes/{ios.md → IOS.md}

@@ -1,6 +1,6 @@
 # Cisco IOS Switches
 
-## Include unsaved changes done on a device (commented) with each configuration.
+## Include unsaved changes done on a device (commented) with each configuration
 
 Create the file `~/.config/oxidized/model/ios.rb` with the following contents to extend the IOS model:
 

data/docs/Model-Notes/LinuxGeneric.md

@@ -2,22 +2,23 @@
 
 To expand the usage of this model for more specific needs you can create a file in `~/.config/oxidized/model/linuxgeneric.rb`
 
-```
+```ruby
 require 'oxidized/model/linuxgeneric.rb'
 
 class LinuxGeneric
   
   cmd :secret, clear: true do |cfg|
-    cfg.gsub! /^(default (\S+).* (expires) ).*/, '\\1 <redacted>' 
+    cfg.gsub! /^(default (\S+).* (expires) ).*/, '\\1 <redacted>'
     cfg
   end
-   
+
   post do
     cfg = add_comment 'THE MONKEY PATCH'
     cfg += cmd 'firewall-cmd --list-all --zone=public'
   end
 end
 ```
+
 See [Extending-Model](https://github.com/ytti/oxidized/blob/master/docs/Creating-Models.md#creating-and-extending-models)
 
 Back to [Model-Notes](README.md)

data/docs/Model-Notes/README.md

@@ -13,7 +13,7 @@ Arista|[EOS](EOS.md)|05 Feb 2018
 Cumulus|[Cumulus](Cumulus.md)|11 Jun 2018
 Huawei|[VRP](VRP-Huawei.md)|17 Nov 2017
 Huawei|[SmartAX series](SmartAX-Huawei.md)|21 Jan 2019
-Cisco IOS|[IOS](ios.md)|29 Mar 2019
+Cisco IOS|[IOS](IOS.md)|29 Mar 2019
 Juniper|[MX/QFX/EX/SRX/J Series](JunOS.md)|18 Jan 2018
 Netgear|[Netgear](Netgear.md)|11 Apr 2018
 Nokia|[Nokia ISAM](Nokia.md)|22 Aug 2018

data/docs/Model-Notes/Viptela.md

@@ -9,4 +9,4 @@ Pagination is disabled post login.
 - show running-config
 - show version
 
-Back to [Model-Notes](README.md)
+Back to [Model-Notes](README.md)

data/docs/Ruby-API.md

@@ -6,7 +6,19 @@ The following objects exist in Oxidized.
 
 * gets config from nodes
 * must implement 'connect', 'get', 'cmd'
-* 'ssh', 'telnet', 'ftp', and 'tftp' implemented
+* 'ssh', 'telnet', 'ftp', 'tftp', 'http' implemented
+
+#### http
+ * Communicates with a device over http/https
+ * Configurable variables from within model @username, @password, @headers.
+ * @username,@password are used in a Basic Authentication method.
+ * @headers is a Hash of key value pairs of headers to pass along with the request.
+ * Within the sources config under input you define a YAML stanza like the below, this will tell Oxidized to validate certificates on the request
+```yaml
+input:
+   http:
+     ssl_verify: true
+```
 
 ## Output
 

data/docs/Supported-OS-Types.md

@@ -49,6 +49,8 @@
   * [Cambium (PMP450 Series)](/lib/oxidized/model/cambium.rb)
 * Casa
   * [Casa](/lib/oxidized/model/casa.rb)
+* Centec Networks
+  * [CNOS](/lib/oxidized/model/cnos.rb)
 * Check Point
   * [GaiaOS](/lib/oxidized/model/gaiaos.rb)
 * Ciena
@@ -88,6 +90,7 @@
   * [PowerConnect](/lib/oxidized/model/powerconnect.rb)
   * [AOSW](/lib/oxidized/model/aosw.rb)
   * [DellX](/lib/oxidized/model/dellx.rb)
+  * [Dell EMC Networking OS10](/lib/oxidized/model/os10.rb)
 * D-Link
   * [D-Link](/lib/oxidized/model/dlink.rb)
 * ECI Telecom
@@ -105,6 +108,9 @@
   * [TMOS](/lib/oxidized/model/tmos.rb)
 * Fiberstore
   * [S3800](/lib/oxidized/model/gcombnps.rb)
+  * [S3900](/lib/oxidized/model/edgecos.rb)
+  * [S5800](/lib/oxidized/model/cnos.rb)
+  * [S5850](/lib/oxidized/model/cnos.rb)
 * Firebrick
   * [FBxxxx](/lib/oxidized/model/firebrick.rb)
 * Force10
@@ -174,12 +180,14 @@
   * [AlteonOS](/lib/oxidized/model/alteonos.rb)
 * Raisecom
   * [Raisecom](/lib/oxidized/model/raisecom.rb)
+* QTECH
+  * [QSW-2800, QSW-3400, QSW-3450, QSW-3500](/lib/oxidized/model/qtech.rb)
 * Quanta
   * [Quanta / VxWorks 6.6 (1.1.0.8)](/lib/oxidized/model/quantaos.rb)
 * Siklu
   * [EtherHaul](/lib/oxidized/model/siklu.rb)
 * SonicWALL
-   * [SonicOS](lib/oxidized/model/sonicos.rb)
+  * [SonicOS](lib/oxidized/model/sonicos.rb)
 * SNR
   * [SNR-S300G, S2xxx, S3xxx, S4xxx](/lib/oxidized/model/dcnos.rb)
 * Speedtouch
@@ -191,6 +199,8 @@
   * [SBM-GEM-X2C, GEM-X2C+, GEM-X3S+, XEM-X10SM](/lib/oxidized/model/aricentiss.rb)
 * Symantec
   * [Blue Coat ProxySG / Security Gateway OS (SGOS)](/lib/oxidized/model/sgos.rb)
+* Telco Systems
+  * [Telco Systems T-Marc 3306](/lib/oxidized/model/telco.rb)
 * Trango Systems
   * [Trango](/lib/oxidized/model/trango.rb)
 * TPLink
@@ -202,6 +212,9 @@
   * [Edgeos](/lib/oxidized/model/edgeos.rb)
   * [EdgeSwitch](/lib/oxidized/model/edgeswitch.rb)
   * [AirFiber](/lib/oxidized/model/airfiber.rb)
+* VMWare
+  * [NSX Edge (configuration)](/lib/oxidized/model/nsxconfig.rb)
+  * [NSX Edge (firewall rules)](/lib/oxidized/model/nsxfirewall.rb)
 * Watchguard
   * [Fireware OS](/lib/oxidized/model/firewareos.rb)
 * Westell

data/lib/oxidized/input/http.rb

@@ -9,6 +9,9 @@ module Oxidized
     def connect(node)
       @node = node
       @secure = false
+      @username = nil
+      @password = nil
+      @headers = {}
       @log = File.open(Oxidized::Config::Log + "/#{@node.ip}-http", "w") if Oxidized.config.input.debug?
       @node.model.cfg["http"].each { |cb| instance_exec(&cb) }
 
@@ -45,10 +48,17 @@ module Oxidized
 
     def get_http(path)
       schema = @secure ? "https://" : "http://"
-      uri = URI.join schema + @node.ip, path
-      http = Net::HTTP.new uri.host, uri.port
-      http.use_ssl = true if uri.scheme == "https"
-      http.get(uri).body
+      uri = URI("#{schema}#{@node.ip}#{path}")
+      req = Net::HTTP::Get.new(uri)
+      req.basic_auth @username, @password unless @username.nil?
+      @headers.each do |header, value|
+        req.add_field(header, value)
+      end
+      ssl_verify = Oxidized.config.input.http.ssl_verify? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
+      res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https", verify_mode: ssl_verify) do |http|
+        http.request(req)
+      end
+      res.body
     end
 
     def log(str)

data/lib/oxidized/input/ssh.rb

@@ -65,7 +65,7 @@ module Oxidized
       disconnect_cli
       # if disconnect does not disconnect us, give up after timeout
       Timeout.timeout(Oxidized.config.timeout) { @ssh.loop }
-    rescue Errno::ECONNRESET, Net::SSH::Disconnect, IOError # rubocop:disable Lint/HandleExceptions
+    rescue Errno::ECONNRESET, Net::SSH::Disconnect, IOError
     ensure
       @log.close if Oxidized.config.input.debug?
       (@ssh.close rescue true) unless @ssh.closed?

data/lib/oxidized/input/telnet.rb

@@ -61,7 +61,7 @@ module Oxidized
     def disconnect
       disconnect_cli
       @telnet.close
-    rescue Errno::ECONNRESET # rubocop:disable Lint/HandleExceptions
+    rescue Errno::ECONNRESET
     ensure
       @log.close if Oxidized.config.input.debug?
       (@telnet.close rescue true) unless @telnet.sock.closed?

data/lib/oxidized/model/aos7.rb

@@ -47,8 +47,8 @@ class AOS7 < Oxidized::Model
   end
 
   cfg :telnet do
-    username /^login : /
-    password /^Password : /
+    username /^([\w -])*login: /
+    password /^Password\s?: /
   end
 
   cfg :telnet, :ssh do

data/lib/oxidized/model/aosw.rb

@@ -58,6 +58,11 @@ class AOSW < Oxidized::Model
     rstrip_cfg comment cfg
   end
 
+  cmd 'show license passphrase' do |cfg|
+    cfg = "" if cfg.match /(Invalid input detected at '\^' marker|Parse error)/ # Don't show for unsupported devices (IAP and MAS)
+    rstrip_cfg comment cfg
+  end
+
   cmd 'show running-config' do |cfg|
     out = []
     cfg.each_line do |line|

data/lib/oxidized/model/ciscosmb.rb

@@ -26,6 +26,7 @@ class CiscoSMB < Oxidized::Model
   end
 
   cmd 'show version' do |cfg|
+    cfg.gsub! /uptime is\ .+/, '<uptime removed>'
     comment cfg
   end
 
@@ -44,8 +45,18 @@ class CiscoSMB < Oxidized::Model
   end
 
   cfg :telnet, :ssh do
-    username /^User ?[nN]ame:/
-    password /^\r?Password:$/
+    username /User ?[nN]ame:/
+    password /^\r?Password:/
+
+    post_login do
+      if vars(:enable) == true
+        cmd 'enable'
+      elsif vars(:enable)
+        cmd 'enable', /^\r?Password:$/
+        cmd vars(:enable)
+      end
+    end
+
     post_login 'terminal datadump' # Disable pager
     post_login 'terminal width 0'
     post_login 'terminal len 0'

data/lib/oxidized/model/cnos.rb

@@ -0,0 +1,33 @@
+# model for Centec Networks CNOS based switches
+class CNOS < Oxidized::Model
+  comment '! '
+
+  cmd :all do |cfg|
+    cfg.each_line.to_a[0..-2].join
+  end
+
+  cmd 'show running-config' do |cfg|
+    cfg.gsub!(/(snmp-server community )(\S+)/, '\1<hidden>')
+    cfg.gsub!(/key type private.+key string end/m, '<private key hidden>')
+    cfg
+  end
+
+  cmd 'show version' do |cfg|
+    cfg.gsub! /^(.* uptime is ).*\n/, '\1'
+    comment cfg
+  end
+
+  cmd 'show transceiver' do |cfg|
+    comment cfg
+  end
+
+  cfg :telnet do
+    username /^Username:/
+    password /^Password:/
+  end
+
+  cfg :telnet, :ssh do
+    post_login 'terminal length 0'
+    pre_logout 'exit'
+  end
+end

data/lib/oxidized/model/cumulus.rb

@@ -33,9 +33,6 @@ class Cumulus < Oxidized::Model
     cfg += add_comment 'NTP.CONF'
     cfg += cmd 'cat /etc/ntp.conf'
 
-    cfg += add_comment 'IP Routes'
-    cfg += cmd 'netstat -rn'
-
     cfg += add_comment 'SNMP settings'
     cfg += cmd 'cat /etc/snmp/snmpd.conf'
 
@@ -73,7 +70,7 @@ class Cumulus < Oxidized::Model
     cfg += cmd 'cat /etc/cumulus/datapath/traffic.conf'
 
     cfg += add_comment 'ACL'
-    cfg += cmd 'iptables -L -n'
+    cfg += cmd 'cat /etc/cumulus/acl/policy.conf'
 
     cfg += add_comment 'VERSION'
     cfg += cmd 'cat /etc/cumulus/etc.replace/os-release'

data/lib/oxidized/model/edgecos.rb

@@ -8,14 +8,14 @@ class EdgeCOS < Oxidized::Model
   end
 
   cmd :all do |cfg|
-    cfg.each_line.to_a[2..-2].join
+    cfg.each_line.to_a[0..-2].join
   end
 
   cmd 'show running-config'
 
   cmd 'show system' do |cfg|
-    cfg.gsub! /^\s*System Up Time\s*:.*\n/i, ''
-    cfg.gsub! /^\s*(Temperature \d*:).*\n/i, '\\1 <removed>'
+    cfg.gsub! /^.*\sUp Time\s*:.*\n/i, ''
+    cfg.gsub! /^(.*\sTemperature \d*:).*\n/i, '\\1 <removed>'
     comment cfg
   end
 
@@ -27,6 +27,16 @@ class EdgeCOS < Oxidized::Model
     comment cfg
   end
 
+  cmd 'show interfaces transceiver' do |cfg|
+    cfg.gsub! /(\d\d)!/, '\\1 ' # alarm indicators of DDM thresholds
+    cfg.gsub! /^(\s*Temperature\s*:).*/, '\1 <hidden>'
+    cfg.gsub! /^(\s*Vcc\s*:).*/, '\1 <hidden>'
+    cfg.gsub! /^(\s*Bias Current\s*:).*/, '\1 <hidden>'
+    cfg.gsub! /^(\s*TX Power\s*:).*/, '\1 <hidden>'
+    cfg.gsub! /^(\s*RX Power\s*:).*/, '\1 <hidden>'
+    comment cfg
+  end
+
   cfg :telnet do
     username /^Username:/
     password /^Password:/

data/lib/oxidized/model/eos.rb

@@ -15,6 +15,7 @@ class EOS < Oxidized::Model
     cfg.gsub! /(password \d+) (\S+).*/, '\\1 <secret hidden>'
     cfg.gsub! /^(enable secret).*/, '\\1 <configuration removed>'
     cfg.gsub! /^(tacacs-server key \d+).*/, '\\1 <configuration removed>'
+    cfg.gsub! /( {6}key) (\h+ 7) (\h+).*/, '\\1 <secret hidden>'
     cfg
   end
 

data/lib/oxidized/model/fortios.rb

@@ -20,16 +20,16 @@ class FortiOS < Oxidized::Model
     # A number of other statements also contains sensitive strings
     cfg.gsub! /(set (?:passwd|password|key|group-password|auth-password-l1|auth-password-l2|rsso|history0|history1)) .+/, '\\1 <configuration removed>'
     cfg.gsub! /(set md5-key [0-9]+) .+/, '\\1 <configuration removed>'
-    cfg.gsub! /(set private-key ).*?-+END (ENCRYPTED|RSA) PRIVATE KEY-*"$/m, '\\1<configuration removed>'
-    cfg.gsub! /(set ca ).*?-+END CERTIFICATE-*"$/m, '\\1<configuration removed>'
-    cfg.gsub! /(set csr ).*?-+END CERTIFICATE REQUEST-*"$/m, '\\1<configuration removed>'
-    cfg.gsub! /(Cluster uptime:).*/, '\\1 <stripped>'
+    cfg.gsub! /(set private-key ).*?-+END (ENCRYPTED|RSA|OPENSSH) PRIVATE KEY-+\n?"$/m, '\\1<configuration removed>'
+    cfg.gsub! /(set ca ).*?-+END CERTIFICATE-+"$/m, '\\1<configuration removed>'
+    cfg.gsub! /(set csr ).*?-+END CERTIFICATE REQUEST-+"$/m, '\\1<configuration removed>'
     cfg
   end
 
   cmd 'get system status' do |cfg|
-    @vdom_enabled = cfg.include? 'Virtual domain configuration: enable'
-    cfg.gsub!(/(System time: )(.*)/, '\1<stripped>\3')
+    @vdom_enabled = cfg.match /Virtual domain configuration: (enable|multiple)/
+    cfg.gsub! /(System time:).*/, '\\1 <stripped>'
+    cfg.gsub! /(Cluster uptime:).*/, '\\1 <stripped>'
     cfg.gsub! /(Virus-DB|Extended DB|IPS-DB|IPS-ETDB|APP-DB|INDUSTRIAL-DB|Botnet DB|IPS Malicious URL Database).*/, '\\1 <db version stripped>'
     comment cfg
   end

data/lib/oxidized/model/gcombnps.rb

@@ -5,11 +5,11 @@ class GcomBNPS < Oxidized::Model
   # tested with:
   #  - S5330 (aka Fiberstore S3800)
 
-  prompt /^\r?([\w.@()-]+?(\(1-16 chars\))?[#>:]\s?)$/ # also match SSH password promt (post_login commands are sent after the first prompt)
+  prompt /^\r?([\w.@()-]+?(\(1-\d+ chars\))?[#>:]\s?)$/ # also match SSH password promt (post_login commands are sent after the first prompt)
   comment '! '
 
   # alternative to handle the SSH login, but this breaks telnet
-  #  expect /^Password\(1-16 chars\):/ do |data|
+  #  expect /^Password\(1-\d+ chars\):/ do |data|
   #      send @node.auth[:password] + "\n"
   #      ''
   #  end
@@ -66,8 +66,8 @@ class GcomBNPS < Oxidized::Model
   end
 
   cfg :telnet do
-    username /^Username\(1-32 chars\):/
-    password /^Password\(1-16 chars\):/
+    username /^Username\(1-\d+ chars\):/
+    password /^Password\(1-\d+ chars\):/
   end
 
   cfg :ssh do

data/lib/oxidized/model/ibos.rb

@@ -0,0 +1,55 @@
+class IBOS < Oxidized::Model
+  # IBOS model, Intelligent Broadband Operating System (iBOS)
+  # Used in Waystream (previously PacketFront) Routers and Switches
+
+  prompt /^([\w.@()-]+[#>]\s?)$/
+  comment  '! '
+
+  cmd :all do |cfg|
+    cfg.each_line.to_a[1..-2].join
+  end
+
+  cmd :secret do |cfg|
+    # snmp-group version 2c
+    #  notify 10.1.1.1 community public trap
+    cfg.gsub! /^ notify (\S+) community (\S+) (.*)/, ' notify \\1 community <hidden> \\3'
+
+    # snmp-group version 2c
+    #  community public read-only view all
+    cfg.gsub! /^ community (\S+) (.*)/, ' community <hidden> \\2'
+
+    # radius server 10.1.1.1 secret public
+    cfg.gsub! /^radius server (\S+) secret (\S+)(.*)/, 'radius server \\1 secret <hidden> \\3'
+  end
+
+  cmd 'show version' do |cfg|
+    cfg.gsub! /.*uptime is.*/, ''
+    comment cfg
+  end
+
+  cmd 'show running-config' do |cfg|
+    cfg = cfg.each_line.to_a[0..-1].join
+    cfg.gsub! /.*!volatile.*/, ''
+    cfg
+  end
+
+  cfg :telnet do
+    username /^username:\s/
+    password /^\r?password:\s/
+  end
+
+  cfg :telnet, :ssh do
+    # preferred way to handle additional passwords
+    post_login do
+      if vars(:enable) == true
+        cmd "enable"
+      elsif vars(:enable)
+        cmd "enable", /^[pP]assword:/
+        cmd vars(:enable)
+      end
+    end
+    post_login 'terminal no pager'
+    post_login 'terminal width 65535'
+    pre_logout 'exit'
+  end
+end