![]() ![]() ![]() |
Government
and industry regulations
require IT organizations conform to some standard practices. To become
compliant with the regulations such as SOX, HIPAA, CISP, PCI,
Sarbanes-Oxley and others, device configurations should conform to the
standards specified. The standards could be anything - ensuring the
presence or absence of certain strings, commands or values.
DeviceExpert helps in automatically checking for compliance to the
rules defined. Reports on policy compliance and violations are
generated.
Users
can define a set of rules
specifying the mandatory requirements - what the configuration should
contain and/or what it should not contain. The rules can be
grouped and defined as 'Compliance Policy'. Each device or a group of
devices can be associated with the required policy or policies.
DeviceExpert will scan the configuration for compliance to the policy
defined and report violations.
Compliance check enables network administrators save a lot of time by automating the standards checking process. Besides it helps in
Enabling compliance check starts with compliance policy creation, which is a three-step process:
Define the line or lines that are to be either compulsorily present or should not be present in the configuration file. A typical example for a rule is checking the access list configuration or checking the community string. Decide what amounts to violation - presence or absence of a particular line or a set of lines in the configuration file
To add a rule,
Simple Criteria
Criteria |
Description |
Example |
Should contain all lines |
The configuration to be checked for compliance should contain all the lines specified by you. Even if a single line is not found, it will be pronounced as 'violation'. DeviceExpert goes about checking the lines (specified by you) one-by-one against the configuration file. It is not necessary that the lines should be present exactly in the same order as specified by you. Since the check is done line-by-line, it is enough if the all the lines are present anywhere in the configuration. |
Criteria: Should contain all lines Configuration lines to check: snmp-server community public RO snmp-server community private RW snmp-server community public1 RO snmp-server community private1 RW Violation: If any or all the lines are NOT present in the configuration file (irrespective of the order of the presence of the lines)
|
Should not contain any line |
Exactly opposite to the above. The configuration to be checked for compliance should NOT contain any of the lines specified by you. Even if a single line is found, it will be pronounced as 'violation'. DeviceExpert goes about checking the lines (specified by you) one-by-one against the configuration file. The order of the lines are not important. |
Criteria: Should not contain any line Configuration lines to check: snmp-server community public RO snmp-server community private RW snmp-server community public1 RO snmp-server community private1 RW Violation: If any or all the lines are present in the configuration file (irrespective of the order of the presence of the lines) |
Should contain exact set |
This is similar to 'Should contain all lines', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, DeviceExpert will go about checking if all the four lines are present in the same order as specified. If the lines are not present exactly as specified, it will be pronounced as rule violation. |
Criteria: Should contain exact set Configuration lines to check: snmp-server enable traps hsrp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps envmon Violation: If all the lines are NOT present in the configuration file in the same order (and same set) as specified |
Should not contain exact set |
Exactly opposite to the above. This is similar to 'Should not contain any line', but the difference is that the order of the lines is taken into consideration. If you have specified four lines, DeviceExpert will go about checking if the configuration contains the all the four lines in the same order as specified. If the lines are present exactly as specified, it will be pronounced as rule violation. |
Criteria: Should not contain exact set Configuration lines to check: snmp-server enable traps hsrp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps envmon Violation: If all the lines are present in the configuration file in the same order (and same set) as specified |
Advanced Criteria
You
can make use of certain Regular
Expressions in providing the criteria for checking the configuration
for compliance. The following are few examples:
Regular Expression Patterns & DescriptionMatching specific characters Characters inside square brackets can be used to match any of the characters mentioned therein. Example:
Matching a range of characters or numbers Character range inside square brackets can be used to match any of the characters in the range specified therein. The character range could be alphabets or numbers. The matching is case-sensitive. Examples: [a-zA-Z] - This will match any character a through z or A through Z [0-9] - This will match any digit from 0 to 9
Other Specific Matches . a dot can be used to match any single character, including space. \d to match any digit from 0 to 9 \D to
match any character other than a digit (0-9)
For more details, refer to the "Regular Expression Tutorials" of Java Tutorials. More Examples:
|
Criteria |
Description |
Example |
Should contain |
The configuration to be checked for compliance should contain the line matching the RegEx pattern specified by you. |
Criteria: Should contain line(s) as per the RegEx pattern defined Configuration lines to check: snmp-server community public RO|RW Violation: If the line "snmp-server community public" followed by either "RO" or "RW" is NOT present |
Should not contain |
The configuration to be checked for compliance should not contain the line matching the RegEx pattern specified by you. |
Criteria: Should not contain line(s) as per the RegEx pattern defined Configuration lines to check: snmp-server community public RO|RW Violation: If the line "snmp-server community public" followed by either "RO" or "RW" is present |
Usage of AND/OR condition |
Two or more RegEx patterns defined for 'Should Contain' or 'Should not contain' could be combined through AND/OR conditions |
-- |
Finally, specify the severity for violation. Click "Save".
You can create many rules to cater to specific requirements. A 'Rule Group' refers to a collection of rules. Create a 'Rule Group' by selecting the required rules.
To create a rule group,
Once a rule group is created, you can go ahead to create the required compliance policy by selecting the required Rule Groups. Compliance check is done on all policies associated with a device.
To create a policy,
After creating a policy, you need to associate it with the required devices/device groups.
To associate a policy with a device/devices,
After associating a policy with a device or device group, you are ready to run compliance check.
Go to "Inventory" >> "Device Group" page and click device group for which compliance check has to be run
During any stage of compliance policy creation (rule creation, rule group creation & policy creation), you can perform checks on adhoc basis to test the validity of the rule/rule group/policy added by you. The adhoc tests depict the results then and there. After adding a rule, you can perform adhoc test for a device/device group by clicking the "Adhoc Test" button present in Compliance >> Rule GUI. Similarly, adhoc tests can be performed for rule group from Compliance >> Rule Group GUI and for Policy from Compliance >> Policy GUI.
![]() ![]() ![]() |