3.10     Compliance


If you configure a compliance policy, the administrators  are alarmed when some configuration is missing or invalid. It helps you keep the network  stable, 

safe and robust. When a violation has occurred, Status Display, Pie Charts and Trap Handlers are the helpful tools. You can analyze the situation and fix 

the violation quickly.


In order to detect the erroneous and unsafe configurations, you have to define a Compliance Rule.  A rule can be defined with four types of atomic 

matching query i.e.  Stop on match, Stop if not match, Violation  on match, Violation  if not match.   Each query has one matching  string  and netLD 

checks if a given configuration matches to the string. Once the query matches / does not match the configuration, 

above four queries have the following effects:


Violation on  match If the query string matches the configuration, then it is a violation.

Violation if not match If the query string does not matches to any lines of the configuration, then it is a violation.

Stop on  match If the query string matches the configuration, then the configuration is OK regardless of the rest of the queries.

Stop if not match If the query string does not matches to any lines of the configuration, then it is OK regardless of the rest of the queries.


In other words, ”Violation. . . ” act as black lists while ”Stop on. . . ” act as white lists. You can create, modify and delete these rules.


A set of compliance rules forms a Rule Set.  Rule sets can also be created, modified, copied and deleted.  However, you usually do not have to 

create their own because many useful rules are already provided  by default. Entire default rules are listed in Data section in Sec. 7.4, p.235.

This is a rules-set provided by default, IOS Interface Auto-Duplex/Speed.


• Violation if the interface settings include the followings:

     –  no ip address: Stop on match

     –  shutdown command: Stop on match

     –  duplex auto:Violation if not matched

     –  speed auto: Violation  if not matched


Additionally, at a higher level, you can define a Policy, which is what is actually applied to each device. A policy again consists of many rule sets. 

However, it also manages which device belongs to that policy, which kind of severity (error, warning or info) should a violation be assigned to, as well as 

current and historical status of the violations detected on those devices.


3.10.1  Various Rule-related tabs


To define rules, rule sets and policies, you have to open Compliance  tab and edit the elements in each tab. Let’s review those tabs first.


Rule Sets Sub tab


Rule Sets sub tab (in main pane): contains some rule sets.


Figure  3.10.1: Rule Sets Sub tab


blob1477951306488.png


Rules Sub tab

double-clicking each Rule Set shows a new tab in the status pane. In the new tab, following sub-tabs exist:

Figure 3.10.2: Rules sub-tab (in status pane): contains some rules and provides an interface to modify them.



blob1477951327886.png


The items here have the following functions:

 

Violation Message The warning  message to be seen when a violation is detected.

Start / End This is available only when Apply to blocks rule is selected. if activated the beginning and the end of the block are searched with pattern matching, and the violation check is applied only within that block. For example, the expression below limits the violation check only to the specific part of the configuration that matches it. Corresponding code snippets are shown in Fig. 3.10.3


• Example Start: line VTY  ~variable~ (matches line 6)

• End: ! (matches line 9)


Match Expression the main query of the match used to determine the violation.

Action One of the following:

• Stop if not matched

• Stop on match

• Violation if not matched

• Violation on match


Variable Variables between tildes are added into the bottom window and any value can be entered. Without  any filter, it means ”do not care”.

Type One of the four possible type of variables:


• Text

• IP address

• Host name

• Word


Restriction if a violation query matches a line in the configuration, apply a regular expression filter. If a line matches the violation query but the value of the variable does not match the filter, then the violation match is withdrawn.

Figure  3.10.3: Example  code snippets

 

  

1:

banner motd  C

 

2:

Welcome

3:

!

4:

line con  0

5:

line aux  0

6:

line vty   0  4

; *

7:

password lvi

 

8:

login

 

9:

!

; *

10:

!

 

11:

end

 



General Subtab


General Subtab is meant for writing a documentation for the maintenance.  We strongly suggest that you add a documentation to each rules. Suppose 

one of your administrator quit his job and no one can maintain and understand the purpose of the rules he had written. You would encounter a big 

problem in this case.


Figure 3.10.4: General tab: you can write a general description and specify some other attributes.


blob1477951489606.png


Items                                          Description

Description                                 Giving a neat description is a good practice.

Apply to the whole config           Apply the rules to entire configuration

Apply to blocks                           Apply the rules to blocks of configuration divided

Template                                    Compare the configuration line by line and signals a violation if there is a difference.


Restrict the visibility of this rule set to the following networks

Check this and restrict networks under the rule


3.10.2   Creating a New Rule


Here, we provide a screen-by-screen instruction.   Now let’s create a rule here that will generate violation  when SNMP community is ”public”

in Cisco IOS device configurations.

Click on   in Compliance → Rule Sets tab.



blob1477951568151.png


Enter a name for the rule, select the target adapter (the kind of device model)

and which configuration to apply the rule to (running-config or

startup-config). Click on the OK button.


blob1477951579986.png


In the Violation message field, enter the message to be shown when a violation occurs. The violation  message in this example is ”public” is set in SNMP 

community. After that, click on the   .


blob1477951609299.png


 

 Enter the violation search query in Match Expression and select Violation  on match in Action field.



blob1477951620074.png


To test the new rule, click on the select a test config link and select a device in the inventory.



blob1477951635344.png


Select Configuration  window lists the devices that match the adapter you have selected when you created this rule. In this case, only devices with 

IOS adapter are present in this list.

 


blob1477951646569.png


Violations are colored in red. Once you are satisfied, make up a policy from the set of rules in the next section.



blob1477951657803.png


3.10.3   Policy tab

Policy tab consists of the following sub tabs:

 

Device sub tab  allows you to select devices to which you will apply a policy. The interface is exactly the same as those described in Jobs Management 

section (p.92).


Rule Sets sub tab register the existing rule sets to the policy in this tab.

 

 

Item                                     Description

All devices                           Apply the policy to all devices in the inventory.

Search                                  Apply the policy to all devices that match the query.

                                              The search is conducted every time the violation check was triggered.

Static List                             Choose a set of devices by switching the main pane to the device tab,

                                              create a static list and the violation check is applied only to

                                              the devices in the list. (tab switching technique)

                                            


Item                                      Description

Adapter                                 Specify the target adapter.

Configuration                        Choose      from    either    startup-config     or running-config.

                                               The check  is applied to the specified configuration only.     

Rules set                               Rules in this policy.

Severity                                 Either Error or Warning. This results in the different visual icons when

                                              a violation occurred.

 


Creating a New Policy


Let’s create a policy here that will generate a violation for Cisco IOS device configurations.

Click on      in Compliance → Policy tab.



blob1477951754665.png


Enter a policy name, select the target adapter and configuration, then click on the OK button.


blob1477951796762.png


Select Search. Enter a search query which selects the target devices. In this example, enter *Cisco*  in Model filter. As a result, the violation is 

checked against only those devices whose name contain a string Cisco.


blob1477951807809.png


This process is the same as that has appeared in Sec. 3.7 (Job Management). Consequently, the same characteristics  apply to this device selection: if 

you define the target devices via Search, then the search is done in each time the policy is checked.


Click on blob1477951823699.png  in Rule Sets sub tab in the status pane.


blob1477951820132.png


Select a rules-set and click on the Add button. In this example, we have selected IOS Interface Auto-Duplex/Speed & IOS Secure 

Enable Passwords rules.


blob1477951855503.png


Select a Severity for the rule. Here we select different severity for each rule so that different violation icons will show up.


blob1477951870487.png


Click on the select  a  test config link and select a device to test the policy.


blob1477951885245.png


IMPORTANT NOTE: The rules that appear in this window is only those rules whose adapter  type  matches  that  of the  current  policy.  If no rule appears in the candidates, then it 

means no rules are defined for the adapter which your policy is defined for. Please review the adapter type setting in your policy or rule-sets.


Select a test config.


blob1477951912604.png


Violations are colored in red. The top right number shows the total number of violations. When you are satisfied with the test results, you should then activate the policy. Note that netLD does  not run the violation check unless you activate it.



blob1477951958621.png


Activating the Policies

Once a policy was created, you should activate the policy to the devices.  Make sure that the main pane shows Compliance → Policy sub tab. In Policy sub tab, select a policy and click on the Enable button. You will see a pie graph in violation summary on the right.



blob1477951975799.png


 If any violation was found in the policy, its icon changes. Depending on the severity, there will be an orange warning icon or a red error icon.



blob1477952020456.png


Then double-click on the violation icon. Status sub tab opens in the status pane, showing the detailed information of the violation.

 

blob1477952119488.png 

 

Violation icons are also shown in Device  View.   To see the detailed information of the violation, double-click on the warning/error icon.