sunhux
asked on
Windows batch script to check security hardening & gen a html report
I'm given hundreds of outputs from Cisco switches / routers so instead of
manually checking them for compliance to hardening standards, need
a script to gen reports. So,
I'm given device1.txt, device2.txt, deviceX.txt..., all saved into one common folder
where deviceX is the hostname of the switch/router/device.
Need a batch script (prefers this over Powershell as I can enhance them
myself as I'm very 'newbie' in PowerShell) that do something as follows:
For each .txt file in the folder,
Do
echo "Hardening compliance report `date in DD-MMM-YYYY` " >> deviceX.htm
find/I "enable secret 5" deviceX.txt
REM if the above text is found, then report as compliant
if %errorlevel% == "0"
REM highlight the text "Compliant" in green text if possible
echo "enable secret 5" + " is enabled, ==> Compliant" >> deviceX.htm
else
REM highlight the text "Non-Compliant" in red color if possible
echo "enable secret 5" + " is disabled ==> Non-compliant" >> deviceX.htm
endif
find/I "service password encryption" deviceX.txt
REM if the above text is found, then report as compliant
if %errorlevel% == "0"
REM highlight the text "Compliant" in green text if possible
echo "service password encryption" + " is enabled, ==> Compliant" >> deviceX.htm
else
REM highlight the text "Non-Compliant" in red color if possible
echo "service password encryption" + " is Disabled ==> Non-compliant" >> deviceX.htm
endif
End For loop
manually checking them for compliance to hardening standards, need
a script to gen reports. So,
I'm given device1.txt, device2.txt, deviceX.txt..., all saved into one common folder
where deviceX is the hostname of the switch/router/device.
Need a batch script (prefers this over Powershell as I can enhance them
myself as I'm very 'newbie' in PowerShell) that do something as follows:
For each .txt file in the folder,
Do
echo "Hardening compliance report `date in DD-MMM-YYYY` " >> deviceX.htm
find/I "enable secret 5" deviceX.txt
REM if the above text is found, then report as compliant
if %errorlevel% == "0"
REM highlight the text "Compliant" in green text if possible
echo "enable secret 5" + " is enabled, ==> Compliant" >> deviceX.htm
else
REM highlight the text "Non-Compliant" in red color if possible
echo "enable secret 5" + " is disabled ==> Non-compliant" >> deviceX.htm
endif
find/I "service password encryption" deviceX.txt
REM if the above text is found, then report as compliant
if %errorlevel% == "0"
REM highlight the text "Compliant" in green text if possible
echo "service password encryption" + " is enabled, ==> Compliant" >> deviceX.htm
else
REM highlight the text "Non-Compliant" in red color if possible
echo "service password encryption" + " is Disabled ==> Non-compliant" >> deviceX.htm
endif
End For loop
This should give you a starting point
@echo off
for %%f in (*.txt) do call:FindTextInFile "enable secret 5" "%%f"
:FindTextInFile
findstr /m "%~1" "%~2"
if %errorlevel%==0 (
echo "%~1 is enabled, ==> Compliant")
goto End
:EndASKER
Thanks Shaun.
How do get an output that is in html format so that the report looks formal?
Some sort of html characters need to be inserted into the *.htm files??
Coloring can be another enhancement.
Does the line below "joins" the parameter & text together?
"%~1 is enabled, ==> Compliant")
How do get an output that is in html format so that the report looks formal?
Some sort of html characters need to be inserted into the *.htm files??
Coloring can be another enhancement.
Does the line below "joins" the parameter & text together?
"%~1 is enabled, ==> Compliant")
How do get an output that is in html format so that the report looks formal?Something like this
Some sort of html characters need to be inserted into the *.htm files??
echo "<html><head><title>Report</title></head><body>" > report.html
...
echo "<p style="color:red">%~1 is enabled, ==> Compliant</p>" >> report.html
...
echo "</body><html>" >> report.htmlColoring can be another enhancement.Using inline styles such as
<p style="color:red">Does the line below "joins" the parameter & text together?Yes
"%~1 is enabled, ==> Compliant")
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks v much guys.
oBdA, what's the exact command to run the powerShell script ? Need to enter
any parameter on the PowerShell command line? I'm greenhorn with PowerShell
oBdA, what's the exact command to run the powerShell script ? Need to enter
any parameter on the PowerShell command line? I'm greenhorn with PowerShell
Save first code block into a PS1 file and run it from withing Powershell.exe
Save the script as Whatever.ps1.
Set the path in line 1.
Set your tests in the $ComplianceTests hash table, like the existing examples.
Then it's not that different from batch:
Open a Powershell console, "cd" (now an alias for Set-Location) into the folder where you saved the file, and enter
.\Whatever.ps1
Notice that to run PS script, the path is always required, even (and especially) if you're in the same folder as the script; that's to make sure you're actually running the script you're planning to, not maybe a cmdlet or an executable with the same name.
Tab completion is always available.
Most important command:
Get-Help <Cmdlet>
You might have to set the Execution Policy if PS complains that the script is not signed. This is more of a protection against accidental execution, not a real security feature.
Start with
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
in an elevated prompt.
Set the path in line 1.
Set your tests in the $ComplianceTests hash table, like the existing examples.
Then it's not that different from batch:
Open a Powershell console, "cd" (now an alias for Set-Location) into the folder where you saved the file, and enter
.\Whatever.ps1
Notice that to run PS script, the path is always required, even (and especially) if you're in the same folder as the script; that's to make sure you're actually running the script you're planning to, not maybe a cmdlet or an executable with the same name.
Tab completion is always available.
Most important command:
Get-Help <Cmdlet>
You might have to set the Execution Policy if PS complains that the script is not signed. This is more of a protection against accidental execution, not a real security feature.
Start with
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
in an elevated prompt.
Full solution provided.
ASKER
find/I "hardening parameter X" deviceX.txt
REM if the above text is found, then report as compliant
if %errorlevel% == "0"
REM highlight the text "Compliant" in green text if possible
echo "hardening parameter X" + " is enabled, ==> Compliant" >> deviceX.htm
else
REM highlight the text "Non-Compliant" in red color if possible
echo "hardening parameter X" + " is Disabled ==> Non-compliant" >> deviceX.htm
endif