Question

尝试过滤未启用日志的防火墙安全策略。

我只是重新定义了策略，该策略提供了与“操作和日志设置”匹配的策略输出。但是我不知道任何过滤机制。

#zcat config.gz | egrep permit\|deny\|log | grep policy 
set security policies from-zone Trust to-zone Untrust policy 44 then permit  
set security policies from-zone Trust to-zone Untrust policy 44 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 34 then permit  
set security policies from-zone Trust to-zone Untrust policy 34 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 82 then permit  
set security policies from-zone Trust to-zone Untrust policy 82 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 82 then log session-close  
set security policies from-zone Trust to-zone Untrust policy 73 then deny  
set security policies from-zone Trust to-zone Untrust policy 73 then log session-close  
set security policies from-zone Trust to-zone Untrust policy 72 then deny  
set security policies from-zone Trust to-zone Untrust policy 72 then log session-close  
set security policies from-zone Trust to-zone Untrust policy 67 then permit  
set security policies from-zone Trust to-zone Untrust policy 53 then permit  
set security policies from-zone Trust to-zone Untrust policy 53 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 30 then deny  
set security policies from-zone Trust to-zone Untrust policy 30 then log session-close  
set security policies from-zone Trust to-zone Untrust policy 75 then permit  
set security policies from-zone Trust to-zone Untrust policy 75 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 76 then permit  
set security policies from-zone Trust to-zone Untrust policy 28 then permit  
set security policies from-zone Trust to-zone Untrust policy 28 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 50 then permit  
set security policies from-zone Trust to-zone Untrust policy 50 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 51 then permit  
set security policies from-zone Trust to-zone Untrust policy 51 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 55 then permit  
set security policies from-zone Trust to-zone Untrust policy 55 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 56 then permit  
set security policies from-zone Trust to-zone Untrust policy 79 then permit  
set security policies from-zone Trust to-zone Untrust policy 79 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 57 then permit  
set security policies from-zone Trust to-zone Untrust policy 57 then log session-init  
set security policies from-zone Trust to-zone Untrust policy 58 then permit  
set security policies from-zone Trust to-zone Untrust policy 58 then log session-init

我想知道未启用日志的策略。

示例： “政策67”仅具有许可声明，但未记录。策略名称应被过滤掉并显示出来。

Answer 1

对于真正的多维数组，使用GNU awk：

param(
    [String]$Path
)
CMD /C "DIR /B $Path"

任何awk：

$ cat tst.awk
/permit|deny|log/ && /policy/ { present[$9][$11] }
END {
    for (policy in present) {
        if ( !( "log" in present[policy] ) ) {
            print policy
        }
    }
}

$ awk -f tst.awk file
56
67
76

使用上述方法，您可以编写$ cat tst.awk /permit|deny|log/ && /policy/ { policies[$9]; present[$9,$11] } END { for (policy in policies) { if ( !( (policy,"log") in present ) ) { print policy } } }语句来测试每种策略所需的状态组合。

Answer 2

在一次调用中使用awk：

zcat config.gz | awk '
$8 == "policy" {
  if ($11 ~ /permit|deny/ && !($9 in log_enabled))
    policies[$9]
  else if ($11 == "log") {
    log_enabled[$9]
    delete policies[$9]
  }
}
END {
  for (policy in policies)
      print "policy", policy
}'

如果每个策略必须必须至少执行一个操作，它将变得更加容易：

zcat config.gz | awk '
/policy.*(permit|deny|log)/ {
  policies[$9]++
}
END {
  for (policy in policies)
    if (policies[policy] == 1)
      print "policy", policy
}'

Answer 3

使用awk / sed并不是那么容易，因为问题需要查看多行。一种解决方案可能是：

sort -n -k9,9 stackoverflow55844671.txt | \
    awk '{if(prev==$9){
            logged += ($0 ~ / log /)
          }else{
            if(logged==0){print prev};
            prev=$9;
            logged=($0 ~ / log /)
          }
        }END{if(logged==0){print prev}}'

首先，它根据策略编号（第9个字段）对行进行排序，然后awk部分处理每行，但存储策略的值和模式匹配的输出（随意修改正则表达式）

这给了我

56
67
76

Answer 4

请您尝试以下操作。（不是字符串策略的硬编码字段值）

awk '
match($0,/policy [0-9]+/){
  if(($NF=="permit" || $NF=="deny")|| ($(NF-1)=="log" && $NF~/session/)){
     a[substr($0,RSTART,RLENGTH)]++
  }
}
END{
  for(i in a){
     if(a[i]<2){
       print i,a[i]
     }
  }
}
'   Input_file

您可以从a[i]的{{1}}块的上述代码中删除END，以得到其出现的总数，以防您也不需要它。

Answer 5

这是AWK解决方案：

/policy.*(permit|deny|log)/ {
  policy = $0
  gsub(/.*then /, "", policy)
  ar[$9] = ar[$9] " " policy
}
END {
  for (key in ar)
    if (ar[key] !~ /log/)
      print "policy", key, ar[key]
}

测试：

$ awk -f test.awk <<< $data
policy 56  permit
policy 76  permit
policy 67  permit

请注意，此解决方案的优点是可以同时报告策略编号和策略详细信息。

Answer 6

对于那些可能喜欢两遍解决方案的人：

$ awk 'NR==FNR {if (/then log/) logging[$9]; next} 
       /then (permit|deny)/ && !($9 in logging)' file file

set security policies from-zone Trust to-zone Untrust policy 67 then permit
set security policies from-zone Trust to-zone Untrust policy 76 then permit
set security policies from-zone Trust to-zone Untrust policy 56 then permit

或者如果您只想打印行的一部分：

$ awk 'NR==FNR {if (/then log/) logging[$9]; next} 
       /then (permit|deny)/ && !($9 in logging) {print $8,$9}' file file

policy 67
policy 76
policy 56

在给定的行对中找到没有关键字的行

6 个答案: