CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: Command prompt improvements

  1. #1
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    295
    Rep Power
    13

    Default Command prompt improvements

    Check Point's command prompt for BASH kind of sucks. I've been working on some improvements. With these changes, when you log in with an unprivileged account (which must be a member of the group 'root'), you get your username and the traditional $ in the prompt. When you elevate to root (/usr/bin/sudo -u admin -s), you get the "Expert" username and the # prompt. It figures out whether you are using VSX and if not, leaves the VSID off. It figures out if you're running a cluster and if so, includes the current status of the member (as of when the prompt was printed) in the prompt. Here is an example of what it will print on a cluster member running VSX:

    Code:
    [bobz@MyFW1:0 ACTIVE]$ sudo -u admin -s
    [sudo] password for bobz: 
    [Expert@MyFW1:0 ACTIVE]# fw ver
    This is Check Point's software version R80.20 - Build 047
    [Expert@MyFW1:0 ACTIVE]# vsenv 1
    Context is set to Virtual Device exampleVS (ID 1).
    [Expert@MyFW1:1 ACTIVE]#
    With minor changes (mostly to the paths), this should work on all versions of GAiA before the 3.10 kernel (up through R80.10 management, or R80.20 firewall). The 3.10 kernel uses network namespaces rather than VRFs, so the VSX detection will need some changes once the firewall release gets that kernel. I have included an experimental version which should work on kernel 3.10 systems (R80.20 management and whatever firewall version ends up getting it).

    The big non-path difference between versions ≤R80.10 and R80.20 is the output format of cphaprob state. It changed to be more descriptive, but the new table includes another column for the cluster member name. Thus, we go from printing the last field in ≤R80.10 to printing the next-to-last field in R80.20. awk stores the number of fields in the variable $NF, so the last field is $NF, and the next-to-last field is $(NF-1).

    If there is any other information you want to add, the format to do so should be pretty clear from the examples.

    You may wonder why I have full paths to cpprod_util and cphaprob. The reason is it helps keep things more secure. Without the full path to the executable, someone could add . to their $PATH, make their own executable named 'cphaprob', then use sudo to run it as root.

    I have tested this moderately thoroughly on R80.20 firewalls. I've also done some light testing on R77.30. In both cases, you should absolutely test this on non-critical infrastructure before deploying it on anything which matters.


    For R77.30
    Add these lines to /etc/sudoers (be sure to use visudo!):
    Code:
    %root	ALL=(ALL)	ALL
    %root	ALL=(ALL)	NOPASSWD: /bin/bash -c /opt/CPshrd-R77/bin/cpprod_util FwIsHighAvail
    %root	ALL=(ALL)	NOPASSWD: /bin/bash -c /opt/CPsuite-R77/fw1/bin/cphaprob state
    Trash the PS1 block from /etc/bashrc, and add this instead:
    Code:
    PS1="["
    if [ "$EUID" = "0" ]; then
    	PS1+="Expert@\h"
    	if [ -d /proc/vrf ] && [ $(ls /proc/vrf/ | wc -l) -gt 1 ]; then
    		PS1+=":\$(cat /proc/self/vrf)"
    	fi
    	if [ $(cpprod_util FwIsHighAvail) -ne 0 ]; then
    		PS1+=" \$(cphaprob state | grep 'local' | awk '{print \$NF}')"
    	fi
    	PS1+="]# "
    else
    	PS1+="\u@\h"
    	if [ -d /proc/vrf ] && [ $(ls /proc/vrf/ | wc -l) -gt 1 ]; then
    		PS1+=":\$(cat /proc/self/vrf)"
    	fi
    	if [ $(/usr/bin/sudo -u admin -n -i /opt/CPshrd-R77/bin/cpprod_util FwIsHighAvail) -ne 0 ]; then
    		PS1+=" \$(/usr/bin/sudo -u admin -n -i /opt/CPsuite-R77/fw1/bin/cphaprob state | grep 'local' | awk '{print \$NF}')"
    	fi
    	PS1+="]$ "
    fi
    export PS1


    For R80.20 Firewalls
    Add these lines to /etc/sudoers (be sure to use visudo!):
    Code:
    %root	ALL=(ALL)	ALL
    %root	ALL=(ALL)	NOPASSWD: /bin/bash -c /opt/CPshrd-R80.20/bin/cpprod_util FwIsHighAvail
    %root	ALL=(ALL)	NOPASSWD: /bin/bash -c /opt/CPsuite-R80.20/fw1/bin/cphaprob state
    Trash the PS1 block from /etc/bashrc, and add this instead:
    Code:
    PS1="["
    if [ "$EUID" = "0" ]; then
    	PS1+="Expert@\h"
    	if [ -d /proc/vrf ] && [ $(ls /proc/vrf/ | wc -l) -gt 1 ]; then
    		PS1+=":\$(cat /proc/self/vrf)"
    	fi
    	if [ $(cpprod_util FwIsHighAvail) -ne 0 ]; then
    		PS1+=" \$(cphaprob state | grep 'local' | awk '{print \$(NF-1)}')"
    	fi
    	PS1+="]# "
    else
    	PS1+="\u@\h"
    	if [ -d /proc/vrf ] && [ $(ls /proc/vrf/ | wc -l) -gt 1 ]; then
    		PS1+=":\$(cat /proc/self/vrf)"
    	fi
    	if [ $(/usr/bin/sudo -u admin -n -i /opt/CPshrd-R80.20/bin/cpprod_util FwIsHighAvail) -ne 0 ]; then
    		PS1+=" \$(/usr/bin/sudo -u admin -n -i /opt/CPsuite-R80.20/fw1/bin/cphaprob state | grep 'local' | awk '{print \$(NF-1)}')"
    	fi
    	PS1+="]$ "
    fi
    export PS1


    For R80.20 SmartCenter (EXPERIMENTAL!)
    Add these lines to /etc/sudoers (be sure to use visudo!):
    Code:
    %root	ALL=(ALL)	ALL
    %root	ALL=(ALL)	NOPASSWD: /bin/bash -c /opt/CPshrd-R80.20/bin/cpprod_util FwIsHighAvail
    %root	ALL=(ALL)	NOPASSWD: /bin/bash -c /opt/CPsuite-R80.20/fw1/bin/cphaprob state
    Trash the PS1 block from /etc/bashrc, and add this instead:
    Code:
    PS1="["
    if [ "$EUID" = "0" ]; then
    	PS1+="Expert@\h"
    	if [ $(ip netns list | wc -l) -gt 1 ]; then
    		PS1+=":\$(cat /proc/self/netns)"
    	fi
    	if [ $(cpprod_util FwIsHighAvail) -ne 0 ]; then
    		PS1+=" \$(cphaprob state | grep 'local' | awk '{print \$(NF-1)}')"
    	fi
    	PS1+="]# "
    else
    	PS1+="\u@\h"
    	if [ $(ip netns list | wc -l) -gt 1 ]; then
    		PS1+=":\$(cat /proc/self/netns)"
    	fi
    	if [ $(/usr/bin/sudo -u admin -n -i /opt/CPshrd-R80.20/bin/cpprod_util FwIsHighAvail) -ne 0 ]; then
    		PS1+=" \$(/usr/bin/sudo -u admin -n -i /opt/CPsuite-R80.20/fw1/bin/cphaprob state | grep 'local' | awk '{print \$(NF-1)}')"
    	fi
    	PS1+="]$ "
    fi
    export PS1
    Zimmie

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    295
    Rep Power
    13

    Default Re: Command prompt improvements

    I was asked what I meant by "trash the PS1 block". The block I'm talking about is this one towards the end of /etc/bashrc:
    Code:
    if [ -f /etc/profile.d/vsenv.sh ] && [ -n "${VRF_NUMBER}" ]; then
       export PS1='[Expert@$HOSTNAME:`cat /proc/self/vrf`]# '
       vsenv $VRF_NUMBER 1>/dev/null 2>&1
    else
       export PS1='[Expert@$HOSTNAME]# '
    fi
    That block should be removed and replaced by the block for the appropriate version. You can also remove the VSX block just above it:
    Code:
    if [ -f /proc/self/vrf ]; then
        VRF_NUMBER=`cat /proc/self/vrf`
    else
        VRF_NUMBER=""
    fi
    Leaving it won't hurt anything, but the test in the 'if' statement is wrong, and the code doesn't really do anything at this point.
    Zimmie

Similar Threads

  1. We're testing some improvements; let me know if something isn't working properly
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 0
    Last Post: 2012-03-12, 16:31
  2. We've made some improvements to message searching
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 0
    Last Post: 2011-02-21, 11:18
  3. GUI improvements
    By sohannin in forum Feedback To Check Point: Suggestions And Requests
    Replies: 6
    Last Post: 2010-09-24, 09:55
  4. Show date/time and cwd in command prompt
    By affinityhb in forum Miscellaneous
    Replies: 5
    Last Post: 2006-11-15, 09:47
  5. I'm Making Daily Improvements To The Discussion Board
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 13
    Last Post: 2006-05-28, 07:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •