new upstream release (3.3.0); modify package compatibility for Stretch

[ossec-hids.git] / debian / ossec-hids / var / ossec / agentless / ssh_asa-fwsmconfig_diff

#!/usr/bin/env expect

# Agentless monitoring
#
# Copyright (C) 2009 Trend Micro Inc.
# All rights reserved.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.

if {$argc < 1} {
    send_user "ERROR: ssh_asa-fwsmconfig_diff <hostname> <commands>\n";
    send_user "ERROR: Must be run from /var/ossec\n";
    exit 1;
}

# NOTE: this script must be called from within /var/ossec for it to work
set passlist "agentless/.passlist"
set hostname [lindex $argv 0]
set commands [lrange $argv 1 end]
set pass "x"
set addpass "x"
set timeout 20

if {[string compare $hostname "test"] == 0} {
    if {[string compare $commands "test"] == 0} {
        exit 0;
    }
}

# Read the password list
if [catch {
    set in [open "$passlist" r]
} loc_error] {
    send_user "ERROR: Password list not present (use \"register_host\" first).\n"
    exit 1;
}

while {[gets $in line] != -1} {
        set me [string first "|" $line]
        set me2 [string last "|" $line]
        set length [string length $line]

        if {$me == -1} {
            continue;
        }
        if {$me2 == -1} {
            continue;
        }
        if {$me == $me2} {
            continue;
        }

        set me [expr $me-1]
        set me2 [expr $me2-1]

        set host_list [string range $line 0 $me]
        set me [expr $me+2]
        set pass_list [string range $line $me $me2]
        set me2 [expr $me2+2]
        set addpass_list [string range $line $me2 $length]

        if {[string compare $host_list $hostname] == 0} {
            set pass "$pass_list"
            set addpass "$addpass_list"
            break
        }
}
close $in

if {[string compare $pass "x"] == 0} {
    send_user "ERROR: Password for '$hostname' not found.\n"
    exit 1;
}

# SSH to the box and pass the directories to check
if [catch {
    spawn ssh -c des $hostname
} loc_error] {
    send_user "ERROR: Opening connection: $loc_error.\n"
    exit 1;
}

expect {
    "WARNING: REMOTE HOST" {
        send_user "ERROR: RSA host key for '$hostname' has changed. Unable to access.\n"
        exit 1;
    }
    "*sure you want to continue connecting*" {
        send "yes\r"
        expect "* password:*" {
            send "$pass\r"

            expect {
                "Permission denied" {
                    send_user "ERROR: Incorrect password to remote host: $hostname .\n"
                    exit 1;
                }
                timeout {
                    send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n"
                    exit 1;
                }
                "*>" {
                    send_user "\nINFO: Starting.\n"
                }
            }
        }
    }
    "ssh: connect to host*" {
        send_user "ERROR: Unable to connect to remote host: $hostname .\n"
        exit 1;
    }
    "no address associated with name" {
        send_user "ERROR: Unable to connect to remote host: $hostname .\n"
        exit 1;
    }
    "*Connection refused*" {
        send_user "ERROR: Unable to connect to remote host: $hostname .\n"
        exit 1;
    }
    "*Connection closed by remote host*" {
        send_user "ERROR: Unable to connect to remote host: $hostname .\n"
        exit 1;
    }
    "* password:*" {
        send "$pass\r"

        expect {
            "Permission denied" {
                send_user "ERROR: Incorrect password to remote host: $hostname .\n"
                exit 1;
            }
            timeout {
                send_user "ERROR: Timeout while running on host (too long to finish): $hostname .\n"
                exit 1;
            }
            "*>" {
                send_user "INFO: Starting.\n"
            }
        }
    }
    timeout {
        send_user "ERROR: Timeout while connecting to host: $hostname . \n"
        exit 1;
    }
}

# Go into enable mode
send "enable\r"
expect {
    "Password:" {
        send "$addpass\r"

        expect {
            "*asswor*" {
                send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
                exit 1;
            }
            "*rror in authenticatio*" {
                send_user "ERROR: Incorrect enable password to remote host: $hostname .\n"
                exit 1;
            }
            timeout {
                send_user "ERROR: Timeout while going to enable mode on host: $hostname .\n"
                exit 1;
            }
            "*#" {
                send_user "ok on enable pass\n"
            }
        }
    }
    timeout {
        send_user "ERROR: Timeout while running enable on host: $hostname .\n"
        exit 1;
    }
}

# Send commands
set timeout 60
send_user "\nSTORE: now\n"

send "term pager 0\r"

# Exclude uptime from the output
send "show version | grep -v Configuration last| up\r"
send "show running-config\r"
send "$commands\r"
send "exit\r"

expect {
    timeout {
        send_user "ERROR: Timeout while running commands on host: $hostname .\n"
        exit 1;
    }
    eof {
        send_user "\nINFO: Finished.\n"
        exit 0;
    }
}

send_user "ERROR: Unable to finish properly.\n"
exit 1;