Compliance



Overview

Government and industry regulations require IT organizations conform to some standard practices. To become compliant with the regulations such as SOX, HIPAA, CISP, PCI, Sarbanes-Oxley and others, device configurations should conform to the standards specified. The standards could be anything - ensuring the presence or absence of certain strings, commands or values. DeviceExpert helps in automatically checking for compliance to the rules defined. Reports on policy compliance and violations are generated.
 

How does compliance check work?

Users can define a set of rules specifying the mandatory requirements - what the configuration should contain and/or what it should not contain.  The rules can be grouped and defined as 'Compliance Policy'. Each device or a group of devices can be associated with the required policy or policies. DeviceExpert will scan the configuration for compliance to the policy defined and report violations.
 

How does compliance check benefit me?

Compliance check enables network administrators save a lot of time by automating the standards checking process. Besides it helps in

 

How do I enable compliance check?

Enabling compliance check starts with compliance policy creation, which is a three-step process:

1. Add a Rule

Define the line or lines that are to be either compulsorily present or should not be present in the configuration file. A typical example for a rule is checking the access list configuration or checking the community string. Decide what amounts to violation - presence or absence of a particular line or a set of lines in the configuration file

To add a rule,

 

Simple Criteria

Criteria
Description
Example

Should contain all lines

The configuration to be checked for compliance should contain all the lines specified by you. Even if a single line is not found, it will be pronounced as 'violation'. DeviceExpert goes about checking the lines (specified by you) one-by-one against the configuration file. It is not necessary that the lines should be present exactly in the same order as specified by you. Since the check is done line-by-line, it is enough if the all the lines are present anywhere in the configuration.

Criteria: Should contain all lines

Configuration lines to check:

snmp-server community public RO

snmp-server community private RW

snmp-server community public1 RO

snmp-server community private1 RW

Violation:

If any or all the lines are NOT present in the configuration file (irrespective of the order of the presence of the lines)

 

Should not contain any line

Exactly opposite to the above. The configuration to be checked for compliance should NOT contain any of the lines specified by you. Even if a single line is found, it will be pronounced as 'violation'. DeviceExpert goes about checking the lines (specified by you) one-by-one against the configuration file. The order of the lines are not important.

Criteria: Should not contain any line

Configuration lines to check:

snmp-server community public RO

snmp-server community private RW

snmp-server community public1 RO

snmp-server community private1 RW

Violation:

If any or all the lines are present in the configuration file (irrespective of the order of the presence of the lines)

Should contain exact set

This is similar to 'Should contain all lines', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, DeviceExpert will go about checking if all the four lines are present in the same order as specified. If the lines are not present exactly as specified, it will be pronounced as rule violation.

Criteria: Should contain exact set

Configuration lines to check:

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps envmon

Violation:

If all the lines are NOT present in the configuration file in the same order (and same set) as specified

Should not contain exact set

Exactly opposite to the above. This is similar to 'Should not contain any line', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, DeviceExpert will go about checking if the configuration contains the all the four lines in the same order as specified. If the lines are present exactly as specified, it will be pronounced as rule violation.

Criteria: Should not contain exact set

Configuration lines to check:

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps envmon

Violation:

If all the lines are present in the configuration file in the same order (and same set) as specified

 

Advanced Criteria

You can make use of certain Regular Expressions in providing the criteria for checking the configuration for compliance. The following are few examples:

 

Regular Expression Patterns & Description

Matching specific characters  

Characters inside square brackets can be used to match any of the characters mentioned therein.

 

Example:
[abc]
- This is to look for any of the characters a, b or c. The matching is case-sensitive.  

 

Matching a range of characters or numbers  

Character range inside square brackets can be used to match any of the characters in the range specified therein. The character range could be alphabets or numbers. The matching is case-sensitive.  

 

Examples:

[a-zA-Z] - This will match any character a through z or A through Z

[0-9] - This will match any digit from 0 to 9  

 

Other Specific Matches

.   a dot can be used to match any single character, including space.

\d  to match any digit from 0 to 9

\D  to match any character other than a digit (0-9)
\s
  to match a single space character
\S
  to match any character other than space
X?
  question mark preceded by a character. The character (in the example here 'X') that precedes the question mark can appear at the most once or does not appear at all
X*
  asterisk preceded by a character. The character (in the example here 'X') can appear any number of times or not at all
X+
  plus sign preceded by a character.  The character (in the example here 'X') must appear at least once
X|Y
 characters separated by a pipe symbol. This is to match either first character or the next one. In the example here, this is to match either X or Y

 

For more details, refer to the "Regular Expression Tutorials" of Java Tutorials.

More Examples: 

Description

RegEx Pattern

To check if there is a 'public' community present in the configuration

snmp-server community public RO|RW - to match any line containing the text "snmp-server community public" followed by either "RO" or "RW"

To check if logging to a syslog server has been configured

 logging \S+  - to match any line containing the text "logging" followed by an ip address

To check if enable secret is configured

 enable secret \d \S+  - to match any line containing the text "enable secret" followed by any single digit from 0 to 9 AND any character other than space appearing at least once

 


 

Criteria
Description
Example

Should contain

The configuration to be checked for compliance should contain the line matching the RegEx pattern specified by you.

Criteria: Should contain line(s) as per the RegEx pattern defined

Configuration lines to check:

snmp-server community public RO|RW

Violation: If the line  "snmp-server community public" followed by either "RO" or "RW" is NOT present

Should not contain

The configuration to be checked for compliance should not contain the line matching the RegEx pattern specified by you.

Criteria: Should not contain line(s) as per the RegEx pattern defined

Configuration lines to check:

snmp-server community public RO|RW

Violation: If the line  "snmp-server community public" followed by either "RO" or "RW" is present

Usage of AND/OR condition

Two or more RegEx patterns defined for 'Should Contain' or 'Should not contain' could be combined through AND/OR conditions

--

 

Finally, specify the severity for violation. Click "Save".

2. Group the Rules

You can create many rules to cater to specific requirements.  A 'Rule Group' refers to a collection of rules. Create a 'Rule Group' by selecting the required rules.

To create a rule group,

    1. Go to Compliance >> Rule Group >> New Rule Group. Enter Rule Group Name, Description and other details
    2. Select the rule/rules to be added to this group. Click "Save".

3. Create Policy

Once a rule group is created, you can go ahead to create the required compliance policy by selecting the required Rule Groups. Compliance check is done on all policies associated with a device.

To create a policy,

4. Associate Devices with Compliance Policy

After creating a policy, you need to associate it with the required devices/device groups.

To associate a policy with a device/devices,

    1. Go to Compliance tab >> Policy. Click the link 'Associate' present against the policy
    2. Select the devices / device groups and click 'Save'

 

Running Compliance Check

After associating a policy with a device or device group, you are ready to run compliance check.

To run compliance check for a single device,

To view the result & generate compliance report,

To run compliance check for a device group,

    1. Go to "Inventory" >> "Device Group" page and click device group for which compliance check has to be run

    2. Click the tab "Compliance"
    3. Click "Run Compliance Check" present under the box "Compliance Actions". You can even add a schedule for compliance check to be executed at a future point of time. To schedule this, click "Schedule Compliance Check" and fill in the details. When you schedule compliance check, you get the option to notify policy violations to desired recipients by email

To view the result & generate compliance report,

    1. Compliance status of the selected device group will be displayed in the same page. The compliance result for each device which forms part of the group is displayed in the table. If the device group is associated with more than one policy, the compliance check result for each policy is displayed in the table.
    2. You can generate a consolidated report of compliance check result for the device group. The report provides the compliance status and violation details for every device in the device group. The report can be generated as a PDF/CSV and it can even be emailed to desired recipients

Running Adhoc Tests

During any stage of compliance policy creation (rule creation, rule group creation & policy creation), you can perform checks on adhoc basis to test the validity of the rule/rule group/policy added by you. The adhoc tests depict the results then and there. After adding a rule, you can perform adhoc test for a device/device group by clicking the "Adhoc Test" button present in Compliance >> Rule GUI. Similarly, adhoc tests can be performed  for rule group from Compliance >> Rule Group GUI and for Policy from Compliance >> Policy GUI.

 



Copyright © 2012, ZOHO Corp. All Rights Reserved.
Network Monitoring Software from ManageEngine