The set up and time investment to get started has gone down to the minimal amount possible. Flint is now packaged (for lack of a better term) with all of the required ruby gems and redis. That means no more installing the other requirements by hand and lowers the potential to b0rk your attempts at using Flint. Error output has vastly improved to the point where when you run into one, the error-causing line will be a part of the error output. Also, bug fixes get turned around so quickly that often *I* am the one holding up the process of testing my own config files.
You will want to check out Flint's updated site because there are now different options for getting started using the source, git repo, and even a virtual machine set up.
Here is the general process that I use now to pull updates and test new versions:
(from the Flint directory)
$ git pull
$ rake reset
$ rake app
$ rake app --trace (You'll know when it's necessary, trust me.)
The process is not groundbreaking. If you end up having to run "rake app --trace" be kind, rewind, and send a bug report to flint [at] matasano.com.
Some other tidbits about Flint that might be useful are the script/analyze and script/pix_parser scripts. These are scripts that can be used to test snipits of config files or parse whole config files, and in general act as a short cut for having to use the gui to reproduce bugs.
Until you start running your various, collected config files through Flint and probing them in deep dark places, you will not realize how messed up some Cisco configs really are. And I'm not just talking about porous rule sets.
In particular, you will want to pay attention to the "Rule Syntax" section of the report output. This is the section where the rule syntax errors will be placed. What Flint does, is compare every configuration line against the published Cisco PIX Firewall Command Reference. When errors are found, the error-causing line, the error, and the associated config line are output. More than once this has notified me of copy/paste errors that get introduced in the shuffling of files.
No comments:
Post a Comment