Configuring compliance auditing and enforcement

The following example procedures, which are specific to an environment consisting of Cisco IOS routers contain steps that can be performed to configure compliance auditing and enforcement in a quick start stand-alone TrueSight Network Automation configuration:

Defining when to audit compliance

Several options are available for specifying when the system should check devices for compliance. The compliance check is run on the current Running and Startup configurations. The system displays detected violations on the Discrepancy and Compliance Violation Details dashboard and logs an event for each rule violation.

You can choose one or more options to check compliance:

  • Real-time: Check compliance in all current configurations for assigned and enabled rule sets after each device snapshot.
  • Recurring schedule: Define a time-based policy with a Refresh Device Status action listed in the Actions tab to check compliance periodically on a selected network span (for example, Entire Network). All devices in the network span with assigned and enabled rule sets are checked for compliance.
  • Manually: Submit a Refresh Device Status job to run once (that is, Now or Date/Time) for a selected network span. All devices in the network span with assigned and enabled rule sets are checked for compliance.

Back to top

Configuring the system for real-time auditing

The following example procedure enables the system to audit compliance of configurations in real-time.

  1. Open the Edit System Parameters page by navigating to Admin > System Admin > System Parameters. 
  2. In the Device parameters section, ensure that the Perform Compliance Violation Check After Any Span Actions parameter is enabled. 
  3. Click Save.

Back to top

Configuring a compliance violation notification policy

The following example procedure enables a factory-installed policy to send a notification when any configuration compliance violation is detected based on assigned and enabled rule sets. The Network Automation system will not repeatedly send notifications of already discovered compliance violations.
You may use the factory-installed policy as an example for defining more specific compliance policies based on a selected network span, type of violation and violation severity.

  1. Open the Policies page by navigating to Policies > Policies > Policies in the UI.
  2. In the listing, find the Send Compliance Violation Notification policy, and click Edit Icon_Edit.png in the Actions column.
  3. In the Details tab of the Edit Policy page, ensure that the Enabled option is selected.
  4. Click the Actions tab and do the following:
    1. Remove any actions that are currently in the list by selecting the action and clicking Delete 
    2. Click Add Actions and select Notifications > Send Trap.
    3. In the Annotation field of the Send Trap pop-up, enter -. The Network Automation system annotates the trap with the rule set and rule names.
    4. In the Trap Type field, select Compliance Violation Discovered.
    5. In the SNMP Manager field, select the host name of your SNMP manager.
    6. Click Save to add the action to the list that will be carried out when the policy runs.
  5. (Optional) Add another action that sends an e-mail notification by doing the following:
    1. In the Edit Policy page, click Add Actions, and select  Notifications > Send Email.
    2. In the Annotation field of the Send Email pop-up, enter Compliance Violation Detected.
    3. In the To field, select the e-mail recipients.
    4. In the Report field, select Compliance Summary Report.
    5. Select the format the report is delivered:
      1. Select Include Link to send a report URL link in the email.
      2. Select Include Attachment to attach a report to the e-mail and select the delivery format (CSV, HTML, PDF, or RTF).
    6. In the Network Span field, select Same as Triggering Device.
    7. Click Save to add this action to the list.
  6. Click Save.

Back to top

Configuring a compliance violations all cleared notification policy

The following example procedure enables a factory-installed policy to send a notification when all compliance violations have been cleared on a device.

  1. Open the Policies page by navigating to Policies > Policies > Policies in the UI.
  2. In the listing, find the Send Violations Cleared Notification policy, and click Edit Icon_Edit.png in the Actions column.
  3. In the Details tab of the Edit Policy page, ensure that the Enabled option is selected.
  4. Click the Actions tab and do the following:
    1. Remove any actions that are currently in the list by selecting the action and clicking Delete Icon_Delete.png
    2. Click Add Actions and select Notifications > Send Trap.
    3. In the Annotation field of the Send Trap pop-up, enter All Compliance Violations Cleared.
    4. In the Trap Type field, select All Compliance Violations Cleared.
    5. In the SNMP Manager field, select the host name of your SNMP manager.
    6. Click Save to add the action to the list that will be carried out when the policy runs.
  5. Click Save.

Back to top

Configuring rule sets and rules

The example procedures in this section contain steps for configuring rule sets and rules for use in a stand-alone quick-start configuration.

The Network Automation system comes with factory-installed rule sets for different vendors based on industry recommendations. Rules can be used to:

  • Provision new devices based on a set of rules (that is, security policies).
  • Implement complex, ad-hoc changes that are not handled by simple template pushes (for example, update ACLs).
  • Audit and enforce configuration best practices. 

A rule is a grammar that specifies what is expected to be found (or not found) in a configuration file. You can customize the factory-installed rules and manage new rule sets and rules.
Rules can be audited or simply used for ad-hoc configuration changes. Rule sets that are assigned to one or more groups and enabled are audited.

In this exercise you will define a new rule set and associated rule that verifies specific protocols are disabled on each interface. 

Back to top

To view all rules in a rule set

  1. Open the Rule Sets page by navigating to Network > Scripts > Rule Sets in the UI.

  2. Search the listing for the NSA – Cisco IOS Router Security rule set and select View View_Icon.png in the Actions column.

    You can view the rules for this rule set in the pop-up.

  3. When you are finished viewing the rules, close the window.

To configure a rule set

  1. Open the Add Rule Sets page. 
  2. In the Name field, enter Security Rules.
  3. Select the Enabled option.
  4. Click the Spans tab.
  5. In the Assigned Network Spans field, select the Selected Network Span(s) option.
  6. Click Add. 
  7. In the Select a Network Span pop-up, do the following:
    1. Select Group.
    2. Select a realm.
    3. Click Icon_Browse.png, and select your Model_Cisco.model group from the list.
    4. Click OK.
  8. Click Save.

Back to top

To configure a rule

  1. Open the Add Rules page.
  2. In the Name field, enter Restricted I/F Protocols.
  3. In the Rule Set field, click Icon_Browse.png and select Security Rules from the listing in the pop-up.
  4. Click the Grammar tab, and enter the values as shown in the following figure:

    RuleGrammar1.png
  5. Click the Corrective Actions tab and add an action that corrects this rule. Select the Deploy to Active option for the configuration, Complying With This Rule.
  6. Click Save.

Back to top

Detecting compliance violations made to the router

The following example creates a compliance violation on a Cisco Router.

From a computer other than the Network Automation application server, log on directly to the Cisco Router and enter the following commands to force a compliance violation:

Note

  • This procedure assumes that a fastEthernet0 interface exists on your router and can be configured for ip proxy-arp to demonstrate a violation. If this is not true, pick another interface. 
  • Type the text that is in bold, and substitute the italicized variables (for example, privileged_password). Ctrl+z means press z while holding down the Ctrl key.
cisco1720-01> enable
Password: privileged_password
cisco1720-01# config terminal
cisco1720-01(config)# interface fastEthernet0 (or your selected
 interface)
cisco1720-01(config-if)# ip proxy-arp
cisco1720-01(config-if)# exit
cisco1720-01(config)# Ctrl+z
cisco1720-01# exit

Back to top

Confirming violation notifications

Check to see that you received an e-mail or SNMP trap notification indicating a compliance violation on the Cisco router. If you received an email notification, view the Compliance Summary report for details on the violation.

Using the Discrepancy and Compliance Violation Details dashboard to remediate compliance violations

The Discrepancy and Compliance Violation Details dashboard is not displayed by default. Enable the Display Discrepancy and Compliance Violation Details Dashboard system parameter to display it.

The following example procedure shows how to use the dashboard to remediate compliance violations.

  1. In the Network Automation UI, click Home > DashboardDiscrepancy and Compliance Violation Details Dashboard and confirm that a violation exists for the Cisco Router for the Running configuration.

  2. Open the Compliance Summary Report page by clicking Icon_Discrepancy.png Discrepancy in the Running Compliance Violation column.

     

    Note

    This report tells you what is in violation for all assigned rule sets. Click Failed in the Result column to view the violation information in the Difference Details Report.

  3. In the Compliance Summary Report page, click Remediate in the Actions column to correct the violation.
  4. In the Deploy to Active page, enter the following information, and click OK:
    1. In the Annotation field, enter Interface Change Non-Compliant, Enforcing Compliance.
    2. In the Configuration field, select Remediate With...
    3. Click Add Rule Set(s) and select one or more rule sets from the pop-up window.
    4. Click OK.
  5. (Optional) In the Actions tab on the Add Job page, click icon_scripts.png Preview, to view the rollback script to return the configuration to the compliant configuration.
    The script built by SmartMerge Technology is how the system backs out changes without requiring a full configuration restore and reboot, or manual back out procedure.
  6. In the Details tab in the Add Job page, enter the following:
    1. In the Run At field, select the Now or When Approved option.
    2. Click Save and Submit.

Once the job has completed running, the Discrepancy icon for the Cisco Router disappears from the Dashboard.

Configuring policy to enforce rules

The example procedures in this section show how to configure policies to enforce rules. Compliance can be enforced on-demand from the Dashboard and by using the Remediate span action. You can also define a policy that automatically corrects detected compliance violations.

To configure the enforce compliance policy

  1. Open the Add Policy page.
  2. In the Details tab, enter the following:
    1. In the Name field, enter Enforce Compliance.
    2. In the Type field, select the Event Based option.
    3. Select the Enabled option.
  3. Select the Conditions tab, and select Compliance Violation Detected Now in the Triggering Condition field.
  4. Click the Actions tab and do the following:
    1. Click Add Actions, and select Span Action > Remediate.
    2. In the Annotation field, enter Enforce Compliance.
    3. In the Network Span field, select Same as Triggering Device.
    4. In the Remediate With field, select All Assigned.
      You can click Filter Rules to narrow which assigned rules should be automatically corrected by the policy. See Fixing-compliance-violations.
    5. Click OK to add the action to the list that will be carried out when the policy is triggered by the event.
  5. Click Save.

Back to top

To test the compliance enforcement

From a machine other than the Network Automation application server, log in directly to the Cisco Router and enter the following commands to force a compliance violation:

Note

Type the text that is in bold, and substitute for the italicized variables (for example, privileged_password). Ctrl+z means press z while holding down the Ctrl key.

cisco1720-01> enable
Password: privileged_password
cisco1720-01# config terminal
cisco1720-01(config)# interface fastEthernet0 (or your selected
interface)
cisco1720-01(config-if)# ip proxy-arp
cisco1720-01(config-if)# exit
cisco1720-01(config)# Ctrl+z
cisco1720-01# exit
  1. After the policy has completed running, confirm that there is not a violation on the Dashboard for the Cisco Router.
    You can observe the policy execution on the Jobs page (Network > Actions > Jobs).
  2. To filter the Job list down to just the policy entries, do the following:
    1. Click Filter in the menu
    2. In the Originator field, select Policy
    3. Click Submit.

Scalability Note

The previous policy enforced all assigned rule sets. You may enforce a subset of rules by defining a policy keyword and condition to detect violations to specific rule set(s) or rule(s) for a specific network span (that is, group of devices) and/or rule violation severity level. For rules not auto-enforced through a policy, you can request enforcement from the Dashboard, a Job Deploy to Active action, and Compliance Summary report.

Back to top

Using the Compliance Summary report

This example describes how to use the Compliance Summary report to display for a selected network span the pass/fail compliance status based on selected or all assigned rule sets. Here are some example uses of this report: 

  • Compliance Auditing
    • Produce and distribute compliance audit reports. 
    • Use the report to return non-compliant devices to compliance with the Remediate report option. You can also return a device to compliance using a Job Remediate action.  
    • Test new rules before assigning to one or more groups.
  • Ad-Hoc Changes
    • When using rules to make ad-hoc changes, review which devices will be updated when the rule is applied using a Job Deploy to Active span action.

The following example procedure tests a Cisco Router against a factory installed rule set.

  1. Open the Compliance Summary Report page.
  2. In the Network Span field, select Device and the realm used by your Cisco Router.
  3. Click Icon_Browse.png and select your Cisco Router from the Select Device pop-up. 
  4. (Optional) In the Configuration field, you may select the Current, Target or any Historical configuration file. 
  5. Click Next.
  6. Select the Selected Rule Sets option, and add the NSA – Cisco IOS Router Security rule set to the list. 
  7. Click Next.
  8. Select any additional report parameters as desired (View By, Status, Violation Severity, Categories, and Options). In this example, you clear the Only Show Devices Assigned to the Selected Rule Sets option. This allows you to audit rules without assigning rule set(s). 
  9. Click Next.
    The Compliance Summary Report page is displayed.

Scalability Note

In the previous step, you could have selected a larger network span and more rule sets to check compliance across many devices simultaneously. You can also audit rules based on assigned violation severity (for example, critical).

Back to top

Using rules to make ad-hoc configuration changes

Rules can also be used to make ad-hoc configuration changes to a selected network span. In this example, a rule can be used to manage updates to a common access control list (ACL). You will first provision and assign an ACL to your device’s interfaces to set up the operational scenario. Then, you will use the rule to manage updates to the ACL.

To create the rule set

  1. Open the Add Rule Set page.
  2. In the Name field, enter Change: Edge ACL
  3. Click the Spans tab, and select the Entire Network option.
  4. Select Save.

Back to top

To create the rule to define the ACL

  1. Open the Add Rule page.
  2. In the Name field, enter Edge ACL
  3. In the Rule Set field, click Icon_Browse.png and select Change: Edge ACL from the listing in the pop-up.
  4. Click the Grammar tab, and create the ACL definition as shown in the following figure:

    RuleGrammar2.png
  5. On the Corrective Actions tab, add a corrective action that performs a Deploy to Active operation, with Configuration set to Complying With This Rule.
  6. Click Save.

As necessary, you can use template substitution parameters to help maintain common ACL entries across multiple ACL rules. You may also use device substitution parameters when specifying ACL entries using subnet addresses or masks unique to the targeted device. See About-substitution-parameters.

The following figure shows a sample ACL definition using substitution parameters:

ACLSubsParams.png

Back to top

To create a rule to apply the ACL to the device interfaces

Note

Typically, your ACLs are already assigned. Assuming that the ACL is not assigned, if you assign the ACL to one or more interfaces, you can properly demonstrate how the system performs updates to ACLs.

  1. Open the Add Rule page.
  2. In the Name field, enter Apply Edge ACL
  3. In the Rule Set field, click Icon_Browse.png and select Change: Edge ACL from the listing in the pop-up.
  4. Click the Grammar tab, and apply the ACL using the definition shown in the following figure:

    RuleGrammar3.png
  5. On the Corrective Actions tab, add a corrective action that performs a Deploy to Active operation, with Configuration set to Complying With This Rule.
  6. Click Save.

Back to top

To enforce the rule using a Deploy to Active job

  1. Open the Add Job page.
  2. Open the Deploy to Active window and enter the following information:
    1. In the Annotation field, enter Provision ACL.
    2. In the Network Span field, select Device.  
    3. Click Icon_Browse.png and select your device from the listing in the pop-up.
    4. In the Configuration field, select Remediate With...
    5.  Click Add Rule Set(s) and select Change: Edge ACL from the pop-up window.
    6. Click OK.
    7. (Optional) In the Actions tab on the Add Job page, click Preview Icon_Preview.pngto view the script built to provision the ACL.
  3. In the Details tab in the Add Job page, enter the following:
    1. In the Run At field, select the Now or When Approved option.
    2. Click Save and Submit.
  4. Verify the ACL has been added and assigned to your interfaces by viewing the Job Details report.

Back to top

To manage updates to the ACL definition

  1. Open the Rules page.
  2. Find the Edge ACL rule and click Edit Icon_Edit.png
  3. In the Grammar tab of the Edit a Rule page, add the ACL entry deny 118 any any to the ACL.
  4. Click Save.
  5. Open the Add Job page.
  6. Open the Deploy to Action pop-up.
    1. In the Annotation field, enter Updating ACL to deny SQL Services (118).
    2. In the Network Span field, select Device.  
    3. Click Icon_Browse.png and select your device from the listing in the pop-up.
    4. In the Configuration field, select Remediate With...
    5. Click Add Rule Set(s) and select Change: Edge ACL.Edge ACL in the pop-up window.
    6. Click OK.
    7. (Optional) In the Actions tab on the Add Job page, click Preview Icon_Preview.pngto view the script built to to update the ACL. Notice how the ACL update is made without exposing the interfaces.
  7. In the Details tab in the Add Job page, enter the following:
    1. In the Run At field, select the Now or When Approved option.
    2. Click Save and Submit.
  8. Verify the ACL has been updated by viewing the Job Details report.

You can apply similar procedures for managing any adhoc changes.

Back to top

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*