Remediating compliance violations

This topic provides an overview of the Remediate span action and describes how to run this action to remediate compliance violations.

• Overview
• To run the Remediate action

Overview

A job with the Remediate action runs the corrective actions defined in the violated rules. For each device in the selected network span, the job runs the corrective action for each trail that is currently in violation of a selected rule. Note that only active violations are corrected, as maintained during configuration snapshot change processing or by running a Refresh Device Status action.

A Remediate action can run any type of corrective action as compared to Deploy to Active and Deploy to Stored actions. When you choose a remediating configuration, these actions can run only the Deploy to Active or Deploy to Stored corrective actions. A Remediate action can also run Deploy OS Image and custom actions.

A Remediate action expands into one or more sub-actions, each one of which executes one or more corrective actions. This process forms a hierarchy of actions that can be observed when previewing the configurations, when viewing the job details, and in the Job Summary report. The Remediate action itself carries no per-device results; the sub-actions get the per-device results.

During upgrade, the existing rules that are associated with the running trail are automatically given a Deploy to Active corrective action, which pushes a compliant configuration by using incremental merge when supported. Rules that are associated with the startup configuration are automatically given a Deploy to Startup corrective action, which pushes a compliant configuration. However, any rule which has OS Image Name as the domain does not get any corrective actions.

You can control access to the Remediate span action through the Run Associated Remediate Actions network right. If you have this right, you can execute any type of corrective action. For example, if you do not have the right to perform the Deploy OS Image action but you do have the right to run the Remediate action, you are allowed to remediate rules whose corrective action is Deploy OS Image. You still cannot run the Deploy OS Image action directly, but only from within a Remediate action. Also, network span action rights do not affect your ability to access rule sets or rules; that is, you can create and edit rules with any type of corrective action, no matter what your network span action rights are. During upgrade, only the Administrator role receives the right to run the Remediate span action. You must edit the required roles to grant this right as appropriate to your site.

During upgrade, the system parameter Enable Job Approval For Actions does not include the Remediate action by default. You must edit the system parameter based on your job approval plan, and decide if the Remediate action should be selected.

The following video (4:03) explains how to run a Remediate action.

https://www.youtube.com/watch?v=1Zna2UPSHVo

To run the Remediate action

1. On the Add Job page, select Add Action > Span Actions > Remediate.
   

2. Enter information in the following fields:

   The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.
   This macro generates standalone content. As a consequence you need to make sure to use a syntax that separates your macro from the content before and after it so that it's on a line by itself. For example in XWiki Syntax 2.0+ this means having 2 newline characters (a.k.a line breaks) separating your macro from the content before and after it.
   

3. In the Remediate With field, select which rules that are currently in violation are to be remediated or corrected:
   • All Assigned: Remediate all or a subset of the currently assigned rule sets.
      Click Filter Rules to set the rule filter criteria. For example, you might want to enforce assigned rules based on violation severity.
   • Selected Rule Set(s) and/or Rule(s): Remediate any number of selected rule sets, rules, or both.

4. Select any of the following options, as relevant:

   The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.
   This macro generates standalone content. As a consequence you need to make sure to use a syntax that separates your macro from the content before and after it so that it's on a line by itself. For example in XWiki Syntax 2.0+ this means having 2 newline characters (a.k.a line breaks) separating your macro from the content before and after it.
   

5. Click OK to add the action to the job.

You can preview the compliant configurations, incremental merge scripts, and resolved templates by clicking  on the Add Job page, as shown in the following figure. To assess the change against the current configurations, click . TrueSight Network Automation displays a Compliance Summary Report for analysis.