Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
9-43 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Creating a Rule For a policy to run against devices and generate violations, you must specify rules within the policy and define the conditions and the relevant fixes for violations. Rules are platform-specific. Each policy must contain at least one rule; however, there is no limitation on the number of rules you can define for a policy. You can also duplicate an existing rule and add to a policy. Click Duplicate to clone a rule. Follow the procedure below to create a rule and add the rule to a specific policy: Step 1From the left navigation pane, select the policy to which you want to add rules. Step 2From the work area pane, click New. Step 3Enter the following details. For sample rules, see Creating Rules—Samples, page 9-49. Table 9-3 New Rule Fields Field Description Rule Information All information entered in this section is free text and does not impact the conditions and the subsequent violations. Rule Title Enter a name for the rule. Description Enter a brief description Impact Enter a brief note on the impact of the violation that the rule will generate. Suggested Fix Enter a brief description of the fix that will help you decide to choose or to not choose the rule against a specific policy. This description appears when you check the rule in the Rule Selector pane. Platform Selection Available Platforms Check the platforms on which the condition must be run. If you select Cisco Devices, all of Cisco platforms specified in the list are included. The platforms checked in this section impacts the ignore count of an audit job. For example, if you run a rule on all the devices within your scope, including devices not selected in the Available Platforms pane, such devices are not audited and are marked against Ignore count.
9-44 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Rule Inputs New Input Click New to add inputs for the new rule. The input you create in this pane reflects in the Policy Profile page. You must provide rule inputs for the rule you have selected. For example, you can create an input to be IP Address. Any user who wants to run this rule can enter an IP address specific to the rule and add it to a specific profile. Enter the following details: Title—Enter a name for the rule input. Identifier—Click the Generate button to generate an identifier based on the title. The identifier is used in Block Start Expression, Conditions Match Criteria (value field), Action Details Tab - Violation Message, Fix CLI (if action is Raise a Violation, and Violation Message Type is Define Custom Violation Message for the Condition). Description—Enter a brief description for the rule input. Scope—Choose the scope of the rule input, whether the input is for execution or fix. Data Type—Choose a data type from the following options: –Boolean –IP Address –Integer –Interface –Interface Group –IP Mask –String Input Required—Check the option, as required. The following fields appear based on the option that you choose in the Data Type field: Is List of Values—Check this check box to add multiple values to be associated with the rule input. A table appears where you can add, edit, and delete values. You can also set a default value. Accept Multiple Values—Check this check box if you want to provide more than one value at the time of audit. This is applicable only for the execution type rule input. Min Value—Enter a minimum integer value for the rule input. This is applicable only for the integer data type. Max Value—Enter a maximum integer value for the rule input. This is applicable only for the integer data type. Default Value—Enter a default value for the rule input. The format of the value that you enter in this field depends on the data type that you choose in the Data Type field. For example, if you choose Integer as the data type, you can enter an integer value only. Max Length—Enter the maximum length that is applicable for the rule input. Val RegExp—Enter a valid regular expression that will be used for execution or fix. Conditions and Actions New Conditions and ActionsClick New to create conditions and actions for the new rule. Table 9-3 New Rule Fields (continued) Field Description
9-45 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit New Conditions and Actions—Conditions Details tab Condition Scope DetailsCondition Scope—Select the scope of the conditions from one of the below: –Configuration—Checks the complete running configuration. –Device Command Outputs—Checks the output of show commands. –Device Properties—Checks against the device properties and not the running configuration. –Previously Matched Blocks—Runs the conditions against blocks that have been defined in previous conditions. To run the condition with this option, you must have checked Parse as Block option in one of the previous conditions. You cannot select this option for the first condition of a rule. –Function—Checks based on the earlier conditions. Once the Function option is selected, the Expression field is enabled, where you can enter mathematical functions such as addition, subtraction, multiplication, and division operations. You need to follow these conditions while using the Function option: Using Java regular expressions, the value can be extracted and stored in a variable. For example, if you choose the condition as 1, then you need to enter the value as in the Va l u e field. Using conditions along with operations, where you can enter the operations to be performed in the Expression field. For example, in the Expression field, you can enter the value as * 1024. Device Property—Select one of the following device properties: –Device Name –IP Address –OS Name –OS Version NoteThis option is enabled only if you selected Device Properties in the Condition Scope drop-down list. Show Commands—Select the required show command that is applicable for the platform selected. You can also enter a show command against which the audit must be performed. NoteThis option is enabled only if you selected Device Command Outputs in the Condition Scope drop-down list. Block Options Parse as Blocks Checking this option enables you to run conditions on specific blocks (as defined in this section) in running configuration files. This option is enabled only if you selected Configuration in the Condition Scope option. Block Start Expression This field is mandatory if Parse as Blocks option is enabled. This must be a regular expression. Rule inputs and Grep outputs can be used here. Block End Expression This field is optional. By default, blocks end when the top-level or a sub-level command begins. If you prefer to break the block earlier, enter the value as a regular expression. Table 9-3 New Rule Fields (continued) Field Description
9-46 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Rule Pass Criteria Check the option, as required. If you select: All Sub Blocks—The rule is marked a success only if all the blocks fulfill the specified condition. Any Sub Block—The rule is marked a success even if one of the sub blocks fulfill the condition. Raise One Violation for Each Failing Instance—If you check this option, the violation count specified in the Job view increases by as many number of violations as the condition encounters in each block. Condition Match Criteria Operator Choose an option based on the value you will enter in the subsequent fields. Operator Function Click Edit. The Select Operator Function page appears. Select a predefined function and enter the function parameters based on the predefined function that you have selected. NoteThis field is available only if you selected the option, Execute a Function from the Operator field. Value The value must be a regular expression. Rule inputs and Grep outputs can be used here. This variable can be grepped for use in the subsequent conditions. It follows the convention of condition such as, ... This numerical identifier can be used from the next condition as input parameter for Operator selected in the previous field. If you selected Device Name in the Device Property field, you must enter a valid regular expression that will check the VNE name and not the host name. Rule Pass Criteria Check the option, as required. If you select: All Sub Blocks—The rule is marked a success only if all the blocks fulfill the specified condition. Any Sub Block—The rule is marked a success even if one of the sub blocks fulfill the condition. Raise One Violation for Each Failing Instance—If you check this option, the violation count specified in the Job view increases by as many number of violations as the condition encounters in each block. New Conditions and Actions—Action Details tab (applicable for both Select Match Action and Select Does Not Match Action Select Action Select one of the following actions that Compliance Audit must perform upon detecting a violation: Continue—If the condition is met or not met, the rule continues to run based on the condition number specified in the field. If a condition number is not specified, the rule skips to the next immediate condition. Does Not Raise a Violation—Does not raise a violation; stops further execution of rule. Raise a Violation—Raises a violation and stops further execution of rule. Condition Number Specify the condition number to which the rule must continue with in case the condition is met or is not met. You cannot specify a condition number that is lesser than or equal to the current condition number. This field is available only if you selected the option Continue from the Select Action field. Violation Severity Specify a severity that Compliance Audit must flag if a violation is detected. This field is available only if you selected the option, Raise a Violation from the Select Action field. Table 9-3 New Rule Fields (continued) Field Description
9-47 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Violation Message Ty p eSelect one of the following message type: Default Violation Message—Select this option if you determine a violation as not fixable (or requiring manual intervention). User defined Violation Message—Select this option to enter a fix or to provide a command script to fix a violation. This field is available only if you selected the option, Raise a Violation from the Select Action field. Violation Message NoteThis field is available only if you selected User defined Violation Message in the Violation Message Type field. Enter a violation message that will be displayed in the Job View window. Rule inputs can be used here. Table 9-3 New Rule Fields (continued) Field Description
9-48 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Fix CLINoteThis field is available only if you selected User defined Violation Message in the Violation Message Type field. Enter a relevant CLI fix if the device does not meet the condition specified. Do not enter config t, configure, and its exit commands. Rule inputs and Grep outputs can be used here. NoteThe exit command is allowed in main and sub-level commands. Following are the formats for the CLI fix that you enter in this field: For an execution type input, enter For a fix type input, enter ^^ For a grep type output, enter , where n is the condition number and m is the output number. If you choose to use the predefined commands that are available in the Command Manager to fix the violation, perform the following tasks: 1.Click Command. The Fix Commands window appears. Figure 9-15 Policy and Command Input Parameter Mapping 2. From the Commands drop-down list, select a predefined command that you will be executing to fix the compliance violation. The Command Input Parameters that are defined for the selected command are displayed. 3.Select the Scope and Policy Input Mapping for the Command Input Parameter. NoteThe Policy Input Mapping field is used to map the input parameter that is defined when creating the fix command in the Command Manager, with the rule input that is defined when creating a policy rule in the Compliance Manager. The values that you select or enter in the Policy Input Mapping field depends on the scope you select for the Command Input Parameter. Table 9-3 New Rule Fields (continued) Field Description
9-49 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit After you complete adding rules to the policy, a profile must be created. For more information, see Creating a Policy Profile. Creating Rules—Samples This section explains four scenarios in which rules can be created. ProblemThis policy checks if at least one of the pre-defined DNS servers are configured on device. The following condition checks if either IP name-server 1.2.3.4 or IP name-server 2.3.4.5 is configured on the device, and raises a violation if neither of them are configured. SolutionThe following settings have to be made in the appropriate sections. ProblemThis policy checks if at least two NTP servers are configured on the device for NTP server redundancy. The following condition checks if the command ntp server appears at least twice. SolutionThe following settings have to be made in the appropriate sections. Select the scope from the following options: –Default—Select this option to enter the required value in the Policy Input Mapping field. –Execution—Select this option if you want to use the Command Input Parameter for execution purpose during the compliance audit. If the execution rule input is defined in the Compliance Manager, you can select the input in the Policy Input Mapping field. –Fix—Select this option if you want to use the Command Input Parameter for fixing the compliance violation. If the fix rule input is defined in the Compliance Manager, you can select the input in the Policy Input Mapping field. –Grep Output—Select this option if you have a grepped output in the condition. In the Policy Input Mapping field, enter the numerical identifier that follows the convention . For example, if you have a grepped output in the second condition and you want to consider the first output of that condition, enter . Table 9-3 New Rule Fields (continued) Field Description Field Value Condition Scope Configuration Operator Matches the expression Va l u e ip name-server (1.2.3.4|2.3.4.5)$ Match Action Do not raise a violation and exit this rule Does Not Match Action Raise a violation and exit this rule Violation Text DNS Server must be configured as either 1.2.3.4 or 2.3.4.5. Field Value Condition Scope Configuration Operator Matches the expression
9-50
Cisco Prime Network 4.3.2 User Guide
EDCS-1524415
Chapter 9 Manage Device Configurations and Software Images
Making Sure Devices Conform to Policies Using Compliance Audit
ProblemThis policy checks if the device is not configured with any prohibited community strings or
community strings that must be avoided for SNMP.
This condition checks if either snmp-server community public or snmp-server community private is
configured on the device. If configured, Compliance Audit raises a violation. Note that in the
violation text is replaced with the actual community string configured on the device, at the runtime. In
this example, indicates first captured group in the current condition.
SolutionThe following settings have to be made in the appropriate sections.
ProblemThis policy checks if a particular version of the IOS software is installed on a device.
The following condition checks if IOS software version 15.1(1)SY2 is installed on a device.
SolutionThe following settings have to be made in the appropriate sections. Va l u e
(ntp server.*
){2,}
Match Action Continue
Does Not Match Action Raise a violation and exit this rule
Violation Text At least two NTP servers must be configured. Field Value
Field Value
Condition Scope Configuration
Operator Matches the expression
Value snmp-server community (public|private)
Match Action Raise a violation and exit this rule.
Does Not Match Action Continue
Violation Text Community string configured.
Field Value
Condition Scope Device Command Outputs
Show Commands show version
Operator contains the string
Va l u e
15.1(1)SY2
Match Action Continue
Does Not Match Action Raise a Violation
Violation Text Output of show version must contain the string ‘15.1(1)SY2’.
9-51 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Creating a Policy Profile After you have created policies, create a policy profile that will contain a set of policies. Go to Compliance Audit > Policy Profile. The Policy Profile page (Figure 9-16) appears. Figure 9-16 Policy Profile Page Follow the procedure below to create a new policy profile: Step 1From the left navigation pane, click the Create Policy Profile icon. Enter name and description of the policy profile. Step 2From the left navigation pane, select the policy profile that you have created. From the Compliance Policy Selector pane, click the Add Compliance Policy icon. The list of system-defined policy groups and user-defined policy group appear. See Ta b l e 9 - 4 for the list of policies grouped under each policy group. Step 3Choose the required policies. Step 4Select the rules and inputs within the selected policies, which you want to audit against. Later, if applicable, enter values for rule inputs. The option to enter rule inputs is available only if you have entered input parameters when you created a new rule. Policy Profiles are created and an audit job can be run. 1Create Policy Profile icon3Run Compliance Audit icon 2Edit Policy Profile Description icon4Add Compliance Policy icon
9-52 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Table 9-4 Policy Group Details Policy Group Name Policies AAA Services AAA AAA Accounting—Commands AAA Accounting—Connections AAA Accounting—Exec AAA Accounting—Network AAA Accounting—System AAA Authentication—Enable AAA Authentication—Login AAA Authorization—Commands AAA Authorization—Configuration AAA Authorization—Exec AAA Authorization—Network Checking at least one of Tacacs+ Radius LDAP authentication should be configured Audit and Management Banners Console Access DHCP Domain Name Host Name Logging and Syslog Terminal Access User Passwords