DeviceExpert Home | Online Demo

Compliance

Contents

Overview

Government and industry regulations require IT organizations conform to some standard practices. To become compliant with the regulations such as SOX, HIPAA, CISP, PCI, Sarbanes-Oxley and others, device configurations should conform to the standards specified. The standards could be anything - ensuring the presence or absence of certain strings, commands or values. DeviceExpert helps in automatically checking for compliance to the rules defined. Reports on policy compliance and violations are generated.
 

How does compliance check work?

Users can define a set of rules specifying the mandatory requirements - what the configuration should contain and/or what it should not contain.  The rules can be grouped and defined as 'Compliance Policy'. Each device or a group of devices can be associated with the required policy or policies. DeviceExpert will scan the configuration for compliance to the policy defined and report violations.
 

How does compliance check benefit me?

Compliance check enables network administrators save a lot of time by automating the standards checking process. Besides it helps in

 

 

How do I enable compliance check?

Enabling compliance check starts with compliance policy creation, which is a three-step process:

1. Add a Rule

Define the line or lines that are to be either compulsorily present or should not be present in the configuration file. A typical example for a rule is checking the access list configuration or checking the community string. Decide what amounts to violation - presence or absence of a particular line or a set of lines in the configuration file

 

To add a rule,

 

 

How to choose the required criteria?

 

Simple Criteria

Advanced Criteria

Advanced Custom Criteria

To check for the presence or absence of a single line or a group of lines in the configuration file.

 

Example:

 

Check if the configuration contains all of the following lines:

 

snmp-server community public RO

snmp-server community private RW

 

DeviceExpert goes about checking the lines (specified by you) one-by-one against the configuration file.

 

To specify more complex criteria using Regular Expression.

 

Example:

 

Check if enable secret is configured

 

enable secret 5 $1$3Jcu$sB3  

 

In the above example, the single digit number and other characters that follow enable secret will differ in each case. So, simple criteria cannot be used here to check if enable secret has been properly configured. You need to use Advanced Criteria.

 

To define the beginning and the end of the required configuration blocks for selective compliance check. This is just an extension of 'Advanced Criteria'.

 

Example:

 

Check if description is written for all the interface blocks

 

interface FastEthernet0/0

 description branch office 1 connectivity

 ip address 192.168.118.32 255.255.255.0

 service-policy output Stream

!

interface FastEthernet0/1

 description branch office 2 connectivity

 ip address 192.168.118.32 255.255.255.0

 service-policy output Stream

!

 

There will be many such interface blocks in the device configuration. And, the interface name and the description will vary for each block. So, neither simple criteria nor advanced criteria could be used for creating compliance rule. You need to used 'Advanced Custom Criteria', which will help in checking each configuration block individually.

 

 

Simple Criteria

 

 

Criteria

Description

Example

Should contain all lines

The configuration to be checked for compliance should contain all the lines specified by you. Even if a single line is not found, it will be pronounced as 'violation'. DeviceExpert goes about checking the lines (specified by you) one-by-one against the configuration file. It is not necessary that the lines should be present exactly in the same order as specified by you. Since the check is done line-by-line, it is enough if the all the lines are present anywhere in the configuration.

Criteria: Should contain all lines

Configuration lines to check:

 

snmp-server community public RO

snmp-server community private RW

 

Violation:

If any or all the lines are NOT present in the configuration file (irrespective of the order of the presence of the lines)

Should not contain any line

Exactly opposite to the above. The configuration to be checked for compliance should NOT contain any of the lines specified by you. Even if a single line is found, it will be pronounced as 'violation'. DeviceExpert goes about checking the lines (specified by you) one-by-one against the configuration file. The order of the lines are not important.

Criteria: Should not contain any line

Configuration lines to check:

 

snmp-server community public RO

snmp-server community private RW

 

Violation:

If any or all the lines are present in the configuration file (irrespective of the order of the presence of the lines)

Should contain exact set

This is similar to 'Should contain all lines', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, DeviceExpert will go about checking if all the four lines are present in the same order as specified. If the lines are not present exactly as specified, it will be pronounced as rule violation.

Criteria: Should contain exact set

Configuration lines to check:

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

 

Violation:

If all the lines are NOT present in the configuration file in the same order (and same set) as specified

Should not contain exact set

Exactly opposite to the above. This is similar to 'Should not contain any line', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, DeviceExpert will go about checking if the configuration contains the all the four lines in the same order as specified. If the lines are present exactly as specified, it will be pronounced as rule violation.

Criteria: Should not contain exact set

Configuration lines to check:

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

 

Violation:

If all the lines are present in the configuration file in the same order (and same set) as specified

 

Advanced Criteria

 

You can make use of certain Regular Expressions in providing the criteria for checking the configuration for compliance. The following are few examples:

 

Regular Expression Patterns & Description

Matching specific characters  

 

Characters inside square brackets can be used to match any of the characters mentioned therein.

 

Example:
[abc]
- This is to look for any of the characters a, b or c. The matching is case-sensitive.  

 

Matching a range of characters or numbers  

 

Character range inside square brackets can be used to match any of the characters in the range specified therein. The character range could be alphabets or numbers. The matching is case-sensitive.  

 

Examples:

[a-zA-Z] - This will match any character a through z or A through Z

[0-9] - This will match any digit from 0 to 9  

 

Other Specific Matches

.   a dot can be used to match any single character, including space.

\d  to match any digit from 0 to 9

\D  to match any character other than a digit (0-9)
\s
  to match a single space character
\S
  to match any character other than space
X?
  question mark preceded by a character. The character (in the example here 'X') that precedes the question mark can appear at the most once or does not appear at all
X*
  asterisk preceded by a character. The character (in the example here 'X') can appear any number of times or not at all
X+
  plus sign preceded by a character.  The character (in the example here 'X') must appear at least once
X|Y
 characters separated by a pipe symbol. This is to match either first character or the next one. In the example here, this is to match either X or Y

 

For more details, refer to the "Regular Expression Tutorials" of Java Tutorials.

More Examples:

  

Description

RegEx Pattern

To check if enable secret is configured

enable secret \d \S+  - to match any line containing the text "enable secret" followed by any single digit from 0 to 9 AND any character other than space appearing at least once

To check if there is a 'public' community present in the configuration

snmp-server community public RO|RW - to match any line containing the text "snmp-server community public" followed by either "RO" or "RW"

To check if logging to a syslog server has been configured

 logging \S+  - to match any line containing the text "logging" followed by an ip address

 

 

 

Criteria

Description

Example

Should contain

The configuration to be checked for compliance should contain the line matching the RegEx pattern specified by you.

Criteria: Should contain line(s) as per the RegEx pattern defined

Configuration lines to check:

snmp-server community public RO|RW

Violation: If the line  "snmp-server community public" followed by either "RO" or "RW" is NOT present

Should not contain

The configuration to be checked for compliance should not contain the line matching the RegEx pattern specified by you.

Criteria: Should not contain line(s) as per the RegEx pattern defined

Configuration lines to check:

snmp-server community public RO|RW

Violation: If the line  "snmp-server community public" followed by either "RO" or "RW" is present

Usage of AND/OR condition

Two or more RegEx patterns defined for 'Should Contain' or 'Should not contain' could be combined through AND/OR conditions

--

 

 

 

 

Advanced Custom Criteria

As mentioned above, 'Advanced Custom Criteria' is just an extension of 'Advanced Criteria' and it helps in defining the beginning and the end of the required configuration blocks for selective compliance check. Both 'Simple Criteria' and 'Advanced Criteria' are used to check the entire configuration of a device for compliance to a rule. There might be requirements to check specific portions of the configuration for compliance to a rule.

 

For example, assume that in certain Cisco Switches, the administrator wants to check if description is written for all the interface blocks. So, every single interface block has to be checked for compliance to this rule. The device configuration will have so many interface blocks with different names. Hence, you cannot define a suitable compliance rule to check all the interface blocks using the previous two criteria options - simple and advanced. They will only help in defining a constant rule to check the entire configuration once - not every single interface block.

 

In such cases, administrator can make use of the 'Advanced Custom Criteria' to achieve this. He can simply define the starting and ending of the interface blocks and create an advanced custom criteria. Once this is done, DeviceExpert will split the configuration into configuration blocks and check for compliance. The compliance result for each block will be reported individually. It will then be very simple for the administrator to find which configuration blocks do not have full-duplex connection enabled and take remediation accordingly.

 

Besides, you can also specify some extra conditions through the "Additional Block Criteria". This gives you the option to exclude any configuration block within the interface block specified above, for compliance check. (See the example below to get better understanding).

 

Defining the criteria in this case is exactly the same as 'Advanced Criteria'. Thus, the only difference between 'Advanced Criteria' and 'Advanced Custom Criteria' is that the user can define the beginning and the end of the required configuration blocks for selective compliance check.

 

Specifying the starting and ending of configuration

 

Consider the following configuration blocks in a Cisco Switch:

 

interface FastEthernet0/0

 description branch office 1 connectivity

 ip address 192.168.118.32 255.255.255.0

 service-policy output Stream

!

interface FastEthernet0/1

 description branch office 2 connectivity

 ip address 192.168.118.32 255.255.255.0

 service-policy output Stream

!

 

If you want to check if all the interface blocks have a description configured, you need to specify the 'Configuration Block Start' as interface in the text field. Similarly, for 'Configuration Block End', you can enter ! in the text field.

 

You can define the conditions for the rule as explained for 'Advanced Criteria' above. For the particular example of checking the configuration blocks for description, the rule will look like the screenshot below.

 

 

 

In case, you want to exclude the interfaces that were shutdown from carrying out the compliance check, you may include "Additional Block Criteria". In the drop-down against 'Advanced Block Criteria', choose the condition "Should Not Contain"  and type the word the word "shutdown" in the text field. When you do so, while checking if all the interface blocks contain description, the shutdown blocks will be left out from compliance check.

 

How DeviceExpert checks compliance?

 

When you specify as above, all the blocks in the configuration starting with the word 'interface' and ending with ! will be tested for compliance to the criteria defined. The compliance result for each such configuration block will be presented individually. Overall result will be presented based on 'AND' of all the individual results. Even if only one configuration block shows violation, the overall result will be 'violation'. You can dig the report deep, analyze the individual results and find out what is wrong with the violations.

 

Finally, specify the severity for violation. Click "Save".

2. Group the Rules

You can create many rules to cater to specific requirements.  A 'Rule Group' refers to a collection of rules. Create a 'Rule Group' by selecting the required rules.

 

To create a rule group,

 

    1. Go to Compliance >> Rule Group >> New Rule Group. Enter Rule Group Name, Description and other details
    2. Select the rule/rules to be added to this group. Click "Save".

3. Create Policy

Once a rule group is created, you can go ahead to create the required compliance policy by selecting the required Rule Groups. Compliance check is done on all policies associated with a device.

 

To create a policy,

 

4. Associate Devices with Compliance Policy

After creating a policy, you need to associate it with the required devices/device groups.

 

To associate a policy with a device/devices,

 

    1. Go to Compliance tab >> Policy. Click the link 'Associate' present against the policy
    2. Select the devices / device groups and click 'Save'

 

Running Compliance Check

After associating a policy with a device or device group, you are ready to run compliance check.

To run compliance check for a single device,

To view the result & generate compliance report,

To run compliance check for a device group,

    1. Go to "Inventory" >> "Device Group" page and click device group for which compliance check has to be run

    2. Click the tab "Compliance"
    3. Click "Run Compliance Check" present under the box "Compliance Actions". You can even add a schedule for compliance check to be executed at a future point of time. To schedule this, click "Schedule Compliance Check" and fill in the details. When you schedule compliance check, you get the option to notify policy violations to desired recipients by email

To view the result & generate compliance report,

    1. Compliance status of the selected device group will be displayed in the same page. The compliance result for each device which forms part of the group is displayed in the table. If the device group is associated with more than one policy, the compliance check result for each policy is displayed in the table.
    2. You can generate a consolidated report of compliance check result for the device group. The report provides the compliance status and violation details for every device in the device group. The report can be generated as a PDF/CSV and it can even be emailed to desired recipients

 

Running Adhoc Tests

During any stage of compliance policy creation (rule creation, rule group creation & policy creation), you can perform checks on adhoc basis to test the validity of the rule/rule group/policy added by you. The adhoc tests depict the results then and there. After adding a rule, you can perform adhoc test for a device/device group by clicking the "Adhoc Test" button present in Compliance >> Rule GUI. Similarly, adhoc tests can be performed  for rule group from Compliance >> Rule Group GUI and for Policy from Compliance >> Policy GUI.

 

 


© 2005-2007, ZOHO Corp. All Rights Reserved.