topic Adding cron jobs with quotes in Firewall and Security Management

Adding cron jobs with quotes

Harald_Hansen — Tue, 17 Nov 2020 07:55:05 GMT

One of the problems having gaia reinventing the wheel is the problem of adding simple commands using quotes.

For instance, a simple find command does not execute due to quotes being removed and wildcards executed in the wrong context.

Example, I want to clean up the /var/log/CPbackup/backups folder on a schedule.

The linux admin way is to do something like this in crontab:

00 05 * * * find /var/log/CPbackup/backups/ -name "*.tgz" -type f -mtime +1 -delete -print

When adding this command with clish (add cron) the quotes disappear and the entire command changes fatally.

So one can "trick" clish by adding single quotes:

add cron job backup_cleanup command 'find /var/log/CPbackup/backups/ -name "*.tgz" -type f -mtime +1 -delete -print' recurrence daily time 05:00

Though what happens if you do a `show configuration cron`?

harald-r80-40-mgmt> show configuration cron add cron job backup_cleanup command "find /var/log/CPbackup/backups/ -name "*.tgz" -type f -mtime +1 -delete -print" recurrence daily time 07:45

The double quotes are back again!

So if you want to be safe, don't use commands in gaia cron, call a script. Also remember sk90441 (and sk167632).

A plea to the clish developers; if you really have to reinvent the wheel, at least make it round.

Re: Adding cron jobs with quotes

Danny — Tue, 17 Nov 2020 08:56:07 GMT

You always have to know the environment you are working with. Clish isn't Expert mode and has it's own limitations. Even when you are directly working on a Linux Bash you have to know how to work with single and double quotes in combination. You'll often find situations where you need to escape them \" to make something work. When your code gets too complex you'll sometimes even have to find more advanced ways to hide your code from Bash's syntax checking which is when you base64 encode it and only decode it at execution time.

I always use this approach to cleanup the backup folder with no quotes involved:

ls -tl /var/log/CPbackup/backups/*.tgz|tail -n +10|xargs rm -f

Re: Adding cron jobs with quotes

Harald_Hansen — Tue, 17 Nov 2020 09:00:37 GMT

Thanks for the tip, though I would avoid using -f when running any command as root.

Also, we don't need to make excuses for the clish developers, the clish environment has to improve, as expectations are for it to be linux compatible. Even though there are limitations these are not easy to discern and the edge cases are many.

Re: Adding cron jobs with quotes

G_W_Albrecht — Tue, 17 Nov 2020 12:09:02 GMT

Why should clish improve by integrating bash ? You had the same difference in old SPLAT and have the same in GAiA Embedded, a linux compatible shell and a non-Linux CP config shell.

Re: Adding cron jobs with quotes

Harald_Hansen — Tue, 17 Nov 2020 12:12:37 GMT

One could at least expect clish to keep quotes straight. The reason why is clish overwriting crontab, which splat did not do (if I remember correctly).

Re: Adding cron jobs with quotes

Danny — Tue, 17 Nov 2020 14:09:40 GMT

For security reasons Check Point is moving towards a general usage of its Clish, more and more avoiding the need for modifications within expert mode. Double quotes are a special thing even in pure Bash. Especially when not directly used at CLI which is the case for Clish scripts. Therefore I try to avoid using several characters and words and special characters at CLI, such as - and ", wherever possible > Script example.

Re: Adding cron jobs with quotes

John_Fleming — Tue, 17 Nov 2020 18:03:32 GMT

Did you mean to leave the long option in there? Also this also doesn't protect against files with spaces in the names (just throwing it out there).

Re: Adding cron jobs with quotes

Harald_Hansen — Wed, 18 Nov 2020 13:11:23 GMT

>For security reasons Check Point is moving towards a general usage of its Clish

Then the developers should work even harder to improve clish and avoid the above mentioned pitfalls.

>avoiding the need for modifications within expert mode

The day I'm forced to work without expert is the day I'll move to that other firewall eco system. The main difference between CP and and that firewall is the possibility to troubleshoot with a shell and with Linux-ish behaviour.

Re: Adding cron jobs with quotes

PhoneBoy — Sun, 22 Nov 2020 00:41:40 GMT

Even though it shows with double quotes, does the command you added actually work?
Seems to me this is a bug (visual or otherwise) and a TAC case is suggested.

Re: Adding cron jobs with quotes

Harald_Hansen — Mon, 23 Nov 2020 07:20:56 GMT

Probably it is a visual bug until you export and import the clish configuration:

harald-r80-40-mgmt> add cron job testquote command "echo 'testing quotes'" recurrence daily time 09:00 harald-r80-40-mgmt> add cron job testquoteinvert command 'echo "testing quotes inverted"' recurrence daily time 09:00 harald-r80-40-mgmt> show configuration cron add cron job testquoteinvert command "echo "testing quotes inverted"" recurrence daily time 09:00 add cron job testquote command "echo 'testing quotes'" recurrence daily time 09:00 [Expert@harald-r80-40-mgmt:0]# crontab -l # This file was AUTOMATICALLY GENERATED # Generated by /bin/cron_xlate on Mon Nov 23 08:13:05 2020 # # DO NOT EDIT # SHELL=/bin/bash MAILTO="" # # mins hrs daysinm months daysinw command # ##testquoteinvert 00 09 * * * echo "testing quotes inverted" ##testquote 00 09 * * * echo 'testing quotes'

Re: Adding cron jobs with quotes

Norbert_Bohusch — Mon, 23 Nov 2020 07:34:04 GMT

I would recommend putting everything, even if it's only a single line command into a separate shell script and only invoking this through cron.

Re: Adding cron jobs with quotes

Harald_Hansen — Tue, 24 Nov 2020 10:36:13 GMT

While I agree, it requires additional steps while upgrading that are easy to forget.

If I could keep things simple and configure everything in clish, we would avoid a lot of "I forgot to check this and that".

An example; we have to add some SNMP checks in monitoring for certain customers. Every time someone is doing a jumbo hotfix update we loose the settings and the NOC will call the engineer on duty, usually at night.

Re: Adding cron jobs with quotes

G_W_Albrecht — Tue, 24 Nov 2020 10:57:49 GMT

I would honestly suggest to brief the person installing jumbo hf updates destroying config about the issues they cause - i thought we are all working in security business and just trying not to burn down the house8).

Re: Adding cron jobs with quotes

Harald_Hansen — Tue, 24 Nov 2020 11:02:04 GMT

In a perfect world ... 🙂

In the less perfect, real, instance, you will have people with various levels of knowledge and skill working with the firewalls. Even when we have some kind of responsibility at customers, we cannot deny them access to their own equipment. Or if there is a emergency and someone with no knowledge of the configuration has to do some emergency patching? There are many reasons why things don't go as planned.