The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following table lists the basic steps for using the Compliance feature.
Description |
See: |
|
1 |
Create a compliance policy that contains a name and other descriptive text. |
|
2 |
Add rules to the compliance policy. The rules specify what constitutes a violation. |
|
3 |
You can add multiple custom policies and/or predefined system policies to the same profile. |
Create a Compliance Profile That Contains Policies and Rules |
4 |
Run a compliance audit by selecting a profile and scheduling an audit job. |
|
5 |
View the results of the compliance audit and if necessary, fix the violations. |
The Compliance feature uses device configuration baselines and audit policies to find and correct any configuration deviations in network devices. It is disabled by default because some of the compliance reports can impact system performance. To enable the Compliance feature, use the following procedure.
Step 1 | Choose , then choose . |
Step 2 | Next to Compliance Services, click Enable, then click Save. |
Step 3 | Re-synchronize Cisco EPN Manager 's device inventory: Choose Inventory> Network Devices, select all devices, then click Sync. |
Step 4 | Logout of
Cisco EPN Manager
and login again to view Compliance under the
Configuration tab.
If you still don't see the different Compliance options under the Configuration tab, ensure that you have the required system requirements as explained in the latest Cisco Evolved Programmable Network Manager Installation Guide. |
You can create a new compliance policy starting with a blank policy template.
Add rules to the compliance policy. See Create Compliance Policy Rules.
Compliance policy rules are platform-specific and define what is considered a device violation. A rule can also contain CLI commands that fix the violation. When you are designing the compliance audit job, you can select the rules you want to include in the audit (see Run a Compliance Audit).
Cisco EPN Manger supports audit for AireOS Wireless LAN Controllers platform.
Step 1 | Choose , then select a policy from the navigation area on the left. | ||||
Step 2 | From the work
area pane, click
New to add a new rule.
If a similar rule exists, you can copy the rule by clicking Duplicate, editing the rule, and saving it with a new name. | ||||
Step 3 | Configure the
new rule by entering your rule criteria.
| ||||
Step 4 | Click
Create. The rule is added to the compliance policy.
You can create as many rules as you want. Remember that when you want to run the audit job, you can pick the rules you want to validate. |
Create a profile that contains the compliance policy and its rules, and then perform the audit using the profile. See Create a Compliance Profile That Contains Policies and Rules.
This compliance policy checks if either IP name-server 1.2.3.4 or IP name-server2.3.4.5 is configured on the device. If they are, the policy raises a violation with the message "DNS server must be configured as either 1.2.3.4 or 2.3.4.5."
Tab |
Tab Area |
Field |
Value |
Condition Details |
Condition Scope Details |
Condition Scope |
Configuration |
Condition Match Criteria |
Operator |
Matches the expression |
|
Value |
ip name-server {1.2.3.4|2.3.4.5} |
||
Action Details |
Select Match Action |
Select Action |
Does not raise a violation |
Select Does Not Match Action |
Select Action |
Raise a violation |
|
Violation Message Type |
User Defined Violation Message |
||
Violation Text |
DNS server must be configured as either 1.2.3.4 or 2.3.4.5 |
This compliance policy checks if either snmp-server community public or snmp-server community private is configured on a device (which is undesirable). If it is, the policy raises a violation with the message "Community string xxxxx configured", where xxx is the first violation that was found.
Tab |
Tab Area |
Field |
Value |
Condition Details | Condition Scope Details |
Condition Scope |
Configuration |
Condition Match Criteria |
Operator |
Matches the expression |
|
Value |
snmp-server community {public|private} |
||
Action Details | Select Match Action |
Select Action |
Raise a violation |
Select Does Not Match Action |
Select Action |
Continue |
|
Violation Message Type |
User Defined Violation Message |
||
Violation Text |
Community string xxxxx configured. |
This compliance policy checks if Cisco IOS software version 15.0(2)SE7 is installed on a device. If it is not, the policy raises a violation with the message "Output of show version contains the string xxxxx," where xxxx is the Cisco IOS software version that does not match 15.0(2)SE7.
Tab |
Tab Area |
Field |
Value |
Condition Details |
Condition Scope Details |
Condition Scope |
Device Command Outputs |
Show Commands |
show version |
||
Condition Match Criteria |
Operator |
Contains the string |
|
Value |
15.0(2)SE7 |
||
Action Details |
Select Match Action |
Select Action |
Continue |
Select Does Not Match Action |
Select Action |
Raise a Violation |
|
Violation Message Type |
User Defined Violation Message |
||
Violation Text |
Output of show version contains the string xxxxx. |
This compliance policy checks if the command ntp server appears at least twice on the device. If it does not, the policy raises a violation with the message "At least two NTP servers must be configured."
Tab |
Tab Area |
Field |
Value |
Condition Details |
Condition Scope Details |
Condition Scope |
Configuration |
Condition Match Criteria |
Operator |
Matches the expression |
|
Value |
(ntp server.*\n){2,} |
||
Action Details |
Select Match Action |
Select Action |
Continue |
Select Does Not Match Action |
Select Action |
Raise a violation |
|
Violation Message Type |
User Defined Violation Message |
||
Violation Text |
At least two NTP servers must be configured. |
A compliance profile contains one or more compliance policies. When you add a compliance policy to a profile, all of the policy's rules are applied to the profile. You can customize the profile by selecting the policy rules you want to include (and ignoring the others). If you group several policies in a profile, you can select and deselect the rules for each policy.
Schedule the compliance audit job as described in Run a Compliance Audit.
To run a compliance audit, select a profile, choose the devices you want to audit (using the policies and rules in the profile), and schedule the audit job.
Step 1 | Choose . |
Step 2 | Select a profile in the Compliance Profiles navigation area on the left. |
Step 3 | Click the Run Compliance Audit icon in the Compliance Profiles navigation area. |
Step 4 | Expand the
Devices
and Configuration area, select the required devices and
configuration files that you want to audit.
|
Step 5 | Select
Now to schedule the audit job immediately or select
Date and enter a date and time to schedule it later.
Use the Reccurence option to repeat the audit job at regular intervals. |
Step 6 | Click Finish. An audit job is scheduled. To view the status of the audit job, choose Configuration > Compliance > Jobs. |
Check the audit results as described in View the Results of a Compliance Audit.
Use this procedure to check an audit job results. The results will tell you which devices were audited, which devices were skipped, which devices had violations, and so forth. There might be several different compliance policies running on a single device.
After a job is created, you can set the following preferences for the job:
Step 1 | Choose . | ||||||||
Step 2 | Click the
Audit
Jobs tab, locate your job, and check the information in the
Last Run
column.
For a compliance audit job, the number of violations supported is 20000 for Standard setup and 80000 for Pro and above setup of Prime Infrastructure. | ||||||||
Step 3 | If the audit check failed: | ||||||||
Step 4 | For the most
detail, click the
Failure hyperlink to open the
Compliance Audit Violation Details window.
|
To fix any of the violations, see Fix Device Compliance Violations.
The following table shows the details that can be viewed from the Violation Details page.
To View: |
Do the following |
The status of scheduled fixable violation jobs. |
1. Go to the Violation Details page. 2. Click the Fixable column filter box and choose Running. |
The details of Fixed violation jobs. |
1. Go to the Violation Details page. 2. Click the Fixable column filter box and choose Fixed. 3. Click the Fixed link. |
The details of Fix Failed violation jobs. |
1. Go to the Violation Details page. 2. Click the Fixable column filter box and choose Fix Failed. 3. Click the Fix Failed link. |
Step 1 | Log in to Cisco Prime Infrastructure as an administrator |
Step 2 | Choose
.
The Change Audit Dashboard displays the network audit logs and change audit data of device management, user management, configuration template management, device community and credential changes, and inventory changes of devices. The Change Audit report and Change Audit dashboard display the details irrespective of the virtual domain you are logged in. |
You can view detailed violation information, export this data, and view details of compliance jobs. You can export detailed data for a specific job, or export summary data for multiple jobs.
To fix any of the violations, see Fix Device Compliance Violations.
Use this procedure to fix compliance violations for a failed compliance audit.
Step 1 | Choose . | ||
Step 2 | Click the Audit Jobs, locate your job, and check the information in the Last Run Result column. | ||
Step 3 | Click the
Failure hyperlink to open the
Compliance Audit Violation Details window.
| ||
Step 4 | In the Job Details and Violations area, click Next. | ||
Step 5 | In the Violations by Device area, select the device and violation and click Next. | ||
Step 6 | In the
Fix Rule
Inputs area, preview the fix commands that were previously defined
in the policy, then click
Next.
If custom policies are created with fix cli ^<Rule input ID>^ as the action for the condition, then the Fix Rule Inputs tab is displayed. Enter the required fix rule values and click Next to continue. | ||
Step 7 | Review the configuration that is displayed in the Preview Fix Commands pop up. | ||
Step 8 | Schedule the fix job so that the generated configuration can be deployed to the device, then Click Schedule the Fix Job. |
To view any of the violations job details, see View Audit Failure and Violation Summary Details.
You can view detailed violation information, export this data, and view details of compliance jobs. You can export detailed data for a specific job, or export summary data for multiple jobs.
To fix any of the violations, see Fix Device Compliance Violations.
Compliance policies are saved as XML files. You can export individual compliance policies and, if desired, import them into another server. Files can only be imported in XML format.
Compliance policies are saved as XML files. To view the contents of a policy's XML file:
You can run a report to determine if any devices in your network have security vulnerabilities as defined by the Cisco Product Security Incident Response Team (PSIRT). The report includes Device PSIRT, Device Hardware EOX, Device Software EOX, and Field Notice information. You can also view documentation about the specific vulnerabilities that describes the impact of a vulnerability and any potential steps needed to protect your environment.
Note | PSIRT and EoX reports cannot be run for specific devices. When you schedule PSIRT and EoX jobs, the report is generated for all devices in Managed and Completed state (on the Inventory > Configuration > Network Devices page). |
Sync the devices prior to scheduling the job. Choose Sync.
, select the devices, then clickStep 1 | Choose . |
Step 2 | Schedule and run
the job.
A job is created in which Device PSIRT, Device Hardware EOX, Device Software EOX, and Field Note information is gathered and reported. Separate jobs on each of the tabs need not be created. |
Step 3 | Click View Job Details to view the current status of the PSIRT report. |
Step 4 | When the report is completed, click the Device PSIRT tab to view PSIRT information. |
Step 5 | In the PSIRT Title column, click the hyperlink to view the full description of a security vulnerability. |
Step 6 | (Optional) You can export the device PSIRT details in PDF and CSV format for each device and for all devices collectively. |
You can run a report to determine if any Cisco device hardware or software in your network have reach edits end of life (EOX). This can help you determine product upgrade and substitution options.
Step 1 | Choose Reports > PSIRT and EoX. |
Step 2 | Click Schedule Job. A job is created in which Device PSIRT, Device Hardware EOX, Device Software EOX, and Field Note information is gathered and reported. You do not create separate jobs on each of the tabs. |
Step 3 | After the job completes, click one of the following EOX tabs to view the report information specific to that tab: |
Step 4 | (Optional) You can export these device EoL details in PDF and CSV format for each device and for all devices collectively. |
You can run a report to determine if any Cisco devices that are managed and have completed a full inventory collection have any field notices. Field Notices are notifications that are published for significant issues, other than security vulnerability-related issues, that directly involve Cisco products and typically require an upgrade, workaround, or other customer action.
Step 1 | Choose Reports > PSIRT and EoX. |
Step 2 | Click Schedule Job. A job is created in which Device PSIRT, Device Hardware EOX, Device Software EOX, and Field Note information is gathered and reported. You do not create separate jobs on each of the tabs. |
Step 3 | Click the Field Notice tab to view field notice information. |
Step 4 | Click on the hyperlink in the Field Notice Name column to view more information on cisco.com. |
Step 5 | (Optional) You can export the device field notice details in PDF and CSV format for each device and for all devices collectively. |