Managing configuration compliance

To improve network security and availability, BMC recommends using rules to audit network configuration standards. This section contains the following topics that describe how to manage network configuration compliance by using BMC Network Automation environment:

• About defining and organizing rules
• Importing rules
• Exporting rules
• Testing rules
• Managing policies
• Viewing compliance violations
• Fixing compliance violations

 BMC Network Automation is delivered with rules that can help you get started. Some recommended rules include:

• NTP servers
• Syslog servers
• Enable secret
• Password encryption
• Disable protocols
• Defined access control lists should be assigned
• SNMP community strings
• Management ACL entries and assignment
• OS Version

Any configuration lines or blocks in the running, startup, and any ASCII-based configuration can be audited.

When implementing a configuration change using the Remediate, Deploy to Active, or Deploy to Stored actions with Remediate With and Remediate With All Assigned options, BMC Network Automation applies the rule sets and rules in order, sorted by name.

This enables you to control the order in which rule sets and rules are applied, to eliminate conflicting or syntactically illegal changes. For example, a device can require attribute ABC to be configured before attribute XYZ. In this case, name the rule (for example, rule name = 1-ABC) for configuring ABC so that it executes before the rule (for example, rule name = 2-XYZ) configuring XYZ.

Rule set naming works the same way. If multiple rule sets are applied to a device and order matters, name the rule sets to execute by name order.