This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-12-30 06:57 AM

I just wrote a quick script to find unused domain objects. For now, it only tells you they are unused so you can delete them yourself, but it would be simple to make it delete them. The only thing you should need to do is set the value of cmaAddress on the first line if you are using an MDS. It should be the address of a CMA as shown in the output of 'mdsstat'.

cmaAddress=""

portNumber=$(api status | grep "APACHE Gaia Port" | awk '{print $NF}')

showAll() {
IFS=$(printf "\377")
sharedArguments=( --port "${portNumber}" -f json ${cmaAddress:+-d "${cmaAddress}"} -r true show "${1}" details-level full limit 500 )
if ! firstResult=$(mgmt_cli "${sharedArguments[@]}");then return 1;fi
toReturn="$(<<<"${firstResult}" jq -c '.objects[]|.')
";objectCount=$(<<<"${firstResult}" jq -c '.total')
if [ "${objectCount}" -lt 501 ];then echo -n "${toReturn}";return 0;fi
for offsetVal in $(seq 500 500 "${objectCount}" 2>/dev/null | tr "\n" "${IFS}");do
toReturn+="$(mgmt_cli "${sharedArguments[@]}" offset "${offsetVal}" \
| jq -c '.objects[]|.')
";done;echo -n "${toReturn}";}

allDomains="$(showAll dns-domains \
| jq -c '{uuid:.uid,name:.name}')"

echo "" && echo "Working in ${cmaAddress:+CMA }${cmaAddress:-SmartCenter}" && \
echo "${allDomains[@]}" | while read dnsDomain;do
printf "Domain: %s" "$(<<<"${dnsDomain}" jq '.name')"
if [ "0" == "$(mgmt_cli --port "${portNumber}" -f json ${cmaAddress:+-d "${cmaAddress}"} -r true \
where-used uid "$(<<<"${dnsDomain}" jq '.uuid')" \
| jq '."used-directly".total')" ];then
echo " is unused"
else
printf "\33[2K\r"
fi
done

It works by dumping a list of all of the domain objects in the management, then running 'where-used' for each of them. It shows the domain it's currently checking. If the domain is unused, it tells you. If it's used by something, it wipes the line and moves on to the next domain. Here's how the output looks on my lab SmartCenter:

[Expert@DallasSC]# echo "${allDomains[@]}"
{"uuid":"f7bb7e18-4bad-4330-8f2e-4236e6b47382","name":".github.com"}
{"uuid":"df0e50bc-9055-42fd-9d70-216dd7eb73b8","name":".test.com"}
{"uuid":"7eb334af-4088-4665-b26e-b4039f4b862e","name":".time.apple.com"}
{"uuid":"c5ee68ba-c77f-44ce-9907-8001689cbea9","name":".time.windows.com"}
{"uuid":"3ca51f4e-edec-4de3-ae4a-c83c84d0d928","name":".updates.windows.com"}
{"uuid":"c439cf97-4762-4ae7-a759-07c1651d4f2a","name":".www.github.com"}

[Expert@DallasSC]# echo "" && echo "Working in ${cmaAddress:+CMA $cmaAddress}${cmaAddress:-SmartCenter}" && \
> echo "${allDomains[@]}" | while read dnsDomain;do
> printf "Domain: %s" "$(<<<"${dnsDomain}" jq '.name')"
> if [ "0" == "$(mgmt_cli --port "${portNumber}" -f json ${cmaAddress:+-d "${cmaAddress}"} -r true \
> where-used uid "$(<<<"${dnsDomain}" jq '.uuid')" \
> | jq '."used-directly".total')" ];then
> echo " is unused"
> else
> printf "\33[2K\r"
> fi
> done

Working in SmartCenter
Domain: ".test.com" is unused

Edited to fix a dumb issue causing the CMA address to be printed twice.

View solution in original post

(2)
Who rated this post