Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Collaborator

Adding cron jobs with quotes

One of the problems having gaia reinventing the wheel is the problem of adding simple commands using quotes.

For instance, a simple find command does not execute due to quotes being removed and wildcards executed in the wrong context.

Example, I want to clean up the /var/log/CPbackup/backups folder on a schedule.

The linux admin way is to do something like this in crontab:

00      05      *       *       *       find /var/log/CPbackup/backups/ -name "*.tgz" -type f -mtime +1 -delete -print

When adding this command with clish (add cron) the quotes disappear and the entire command changes fatally.

So one can "trick" clish by adding single quotes:

add cron job backup_cleanup command 'find /var/log/CPbackup/backups/ -name "*.tgz" -type f -mtime +1 -delete -print' recurrence daily time 05:00

 Though what happens if you do a `show configuration cron`?

harald-r80-40-mgmt> show configuration cron
add cron job backup_cleanup command "find /var/log/CPbackup/backups/ -name "*.tgz" -type f -mtime +1 -delete -print" recurrence daily time 07:45

The double quotes are back again!

So if you want to be safe, don't use commands in gaia cron, call a script. Also remember sk90441 (and sk167632).

A plea to the clish developers; if you really have to reinvent the wheel, at least make it round.

 

13 Replies
Champion
Champion

You always have to know the environment you are working with. Clish isn't Expert mode and has it's own limitations. Even when you are directly working on a Linux Bash you have to know how to work with single and double quotes in combination. You'll often find situations where you need to escape them \" to make something work. When your code gets too complex you'll sometimes even have to find more advanced ways to hide your code from Bash's syntax checking which is when you base64 encode it and only decode it at execution time.

I always use this approach to cleanup the backup folder with no quotes involved:

ls -tl /var/log/CPbackup/backups/*.tgz|tail -n +10|xargs rm -f
0 Kudos
Reply
Collaborator

Thanks for the tip, though I would avoid using -f when running any command as root.

Also, we don't need to make excuses for the clish developers, the clish environment has to improve, as expectations are for it to be linux compatible. Even though there are limitations these are not easy to discern and the edge cases are many.

0 Kudos
Reply
Champion
Champion

Why should clish improve by integrating bash ? You had the same difference in old SPLAT and have the same in GAiA Embedded, a linux compatible shell and a non-Linux CP config shell.

0 Kudos
Reply
Collaborator

One could at least expect clish to keep quotes straight. The reason why is clish overwriting crontab, which splat did not do (if I remember correctly).

0 Kudos
Reply
Champion
Champion

For security reasons Check Point is moving towards a general usage of its Clish, more and more avoiding the need for modifications within expert mode. Double quotes are a special thing even in pure Bash. Especially when not directly used at CLI which is the case for Clish scripts. Therefore I try to avoid using several characters and words and special characters at CLI, such as - and ", wherever possible > Script example.

0 Kudos
Reply
Collaborator

>For security reasons Check Point is moving towards a general usage of its Clish

Then the developers should work even harder to improve clish and avoid the above mentioned pitfalls.

>avoiding the need for modifications within expert mode

The day I'm forced to work without expert is the day I'll move to that other firewall eco system. The main difference between CP and and that firewall is the possibility to troubleshoot with a shell and with Linux-ish behaviour.

0 Kudos
Reply
Advisor

Did you mean to leave the long option in there? Also this also doesn't protect against files with spaces in the names (just throwing it out there).

0 Kudos
Reply
Admin
Admin

Even though it shows with double quotes, does the command you added actually work?
Seems to me this is a bug (visual or otherwise) and a TAC case is suggested.

0 Kudos
Reply
Collaborator

Probably it is a visual bug until you export and import the clish configuration:

 

harald-r80-40-mgmt> add cron job testquote command "echo 'testing quotes'" recurrence daily time 09:00
harald-r80-40-mgmt> add cron job testquoteinvert command 'echo "testing quotes inverted"' recurrence daily time 09:00
harald-r80-40-mgmt> show configuration cron
add cron job testquoteinvert command "echo "testing quotes inverted"" recurrence daily time 09:00
add cron job testquote command "echo 'testing quotes'" recurrence daily time 09:00
[Expert@harald-r80-40-mgmt:0]# crontab -l
#  This file was AUTOMATICALLY GENERATED
#  Generated by /bin/cron_xlate on Mon Nov 23 08:13:05 2020
#
#  DO NOT EDIT
#
SHELL=/bin/bash
MAILTO=""
#
# mins  hrs     daysinm months  daysinw command
#

##testquoteinvert
00      09      *       *       *       echo "testing quotes inverted"

##testquote
00      09      *       *       *       echo 'testing quotes'

 

0 Kudos
Reply

I would recommend putting everything, even if it's only a single line command into a separate shell script and only invoking this through cron.

Collaborator

While I agree, it requires additional steps while upgrading that are easy to forget. 

If I could keep things simple and configure everything in clish, we would avoid a lot of "I forgot to check this and that".

An example; we have to add some SNMP checks in monitoring for certain customers. Every time someone is doing a jumbo hotfix update we loose the settings and the NOC will call the engineer on duty, usually at night.

0 Kudos
Reply
Champion
Champion

I would honestly suggest to brief the person installing jumbo hf updates destroying config about the issues they cause - i thought we are all working in security business and just trying not to burn down the house😎.

0 Kudos
Reply
Collaborator

In a perfect world ... 🙂

In the less perfect, real, instance, you will have people with various levels of knowledge and skill working with the firewalls. Even when we have some kind of responsibility at customers, we cannot deny them access to their own equipment. Or if there is a emergency and someone with no knowledge of the configuration has to do some emergency patching? There are many reasons why things don't go as planned.

0 Kudos
Reply