Perform Configuation Audits Using Compliance

This chapter contains the following topics:

How To Perform a Compliance Audit

The following table lists the basic steps for using the Compliance feature.

Description

See:

1

Create a compliance policy that contains a name and other descriptive text.

Create a New Compliance Policy

2

Add rules to the compliance policy. The rules specify what constitutes a violation.

Create Compliance Policy Rules

3

Create a compliance profile (which you will use to run an audit on network devices) and:

  • Add a compliance policy to it.

  • Choose the policy rules you want to include in the audit.

You can add multiple custom policies and/or predefined system policies to the same profile.

Create a Compliance Profile That Contains Policies and Rules

4

Run a compliance audit by selecting a profile and scheduling an audit job.

Run a Compliance Audit

5

View the results of the compliance audit and if necessary, fix the violations.

View the Results of a Compliance Audit

Enable and Disable Compliance Auditing

The Compliance feature uses device configuration baselines and audit policies to find and correct any configuration deviations in network devices. It is disabled by default because some of the compliance reports can impact system performance. To enable the Compliance feature, use the following procedure.


Note

To use the compliance feature, your system must meet the Professional sizing requirements, as specified in the Cisco Prime Infrastructure Quick Start Guide.


Note

In Prime Infrastructure, disabling compliance auditing disables the compliance from GUI and stops the compliance data collection in the background. You must restart the Prime Infrastructure server and resync the devices for the compliance settings to be functional.

Procedure

Step 1

Choose Administration > Settings > System Settings, then choose General > Server.

Step 2

Next to Compliance Services, click Enable, then click Save.

Step 3

Restart the application.

Step 4

Resynchronize the device inventory: Choose Inventory> Network Devices, select all devices, then click Sync.

Create a New Compliance Policy

You can create a new compliance policy starting with a blank policy template.

Procedure

Step 1

Choose Configuration > Compliance > Policies.

Step 2

Click the Create Compliance Policy (+) icon in the Compliance Policies navigation area on the left.

Step 3

In the dialog box, enter a name and optional description, then click Create. The policy is added to the Compliance Policies navigation area on the left.

To duplicate the policy, select the policy radio button and click Duplicate.

Create Compliance Policy Rules

Compliance policy rules are platform-specific and define what is considered a device violation. A rule can also contain CLI commands that fix the violation. When you are designing the compliance audit job, you can select the rules you want to include in the audit (see Run a Compliance Audit).

Procedure

Step 1

Choose Configuration > Compliance > Policies, then select a policy from the navigation area on the left.

Step 2

From the work area pane, click New to add a new rule.

If a similar rule exists, you can copy the rule by clicking Duplicate, editing the rule, and saving it with a new name.

Step 3

Configure the new rule by entering your rule criteria.

Note

 
For explanations of the fields that are displayed in the New Rule window, see the Cisco Prime Infrastructure Reference Guide (the information in that document also applies to Prime Infrastructure).

Note

 
Prime Infrastructure supports all Java-based regular expressions. See http://www.rexegg.com/regex-quickstart.html.

  1. Enter a title, description, and other information in the Rule Information text fields. This information is free text and does not impact any of the rule settings.

  2. Specify the devices for this rule in the Platform Selection area.

  3. (Optional) In the Rule Inputs area, click New and specify the input fields that should be displayed to a user when they run a policy that contains this rule. For example, you could prompt a user for an IP address.

    Note

     

    If you choose the Accept Multiple Values check box, the audit will pass only if all the rule inputs match in the condition.

  4. In the Conditions and Actions area, click New and specify the criteria that will be checked. This will determine the rule pass and fail conditions. For examples, see Examples—Rule Conditions and Actions.

    Select the Parse as Blocks check box in the Block Options section to split the entire running configuration into blocks and search for the condition match criteria value within each block.

    The blocks are split based on the start and end expressions you provide in the Block Start Expression and Block End Expression text boxes. Once the blocks are formed, each block is matched against the condition specified in the Value field of the Condition Match Criteria section and the corresponding actions are performed. For the second condition, you must select the Condition Scope as Previously Matched Blocks to parse.

    Note

     

    If you do not select the Parse as Blocks check box and search for matching condition value, it will parse the entire running configuration and raise a single violation for all the matching instances.

    You must not choose the Continue option in the Select Match Action section and Does Not Raise a Violation option in the Select Does not Match Action section or vice-versa, while creating a new rule as these combinations stand invalid.

Step 4

Click Create. The rule is added to the compliance policy.

You can create as many rules as you want. Remember that when you want to run the audit job, you can pick the rules you want to validate.

Note

 

It is recommended to use Java regex for testing the expressions while creating a new compliance policy rule and validating a rule or command using regular expressions, if any.

What to do next

Create a profile that contains the compliance policy and its rules, and then perform the audit using the profile. See Create a Compliance Profile That Contains Policies and Rules.

Example: Block Options

This compliance policy checks if there are any rogue or unauthorized SNMP community strings are defined in the given blocks. If they are detected in the blocks, the policy raises a violation with the message “Detected unauthorized community string <1.1>” and removes all non-compliant SNMP strings from the blocks.

Tab

Tab Area

Field

Value

Rule Information

Rule Title

snmp-server community having non-standard entries

Platform Selection

Cisco IOS Devices, Cisco IOS-XE Devices

Condition 1

Condition Details Condition Scope Details

Condition Scope

Configuration

Block Options

Block Start Expression

(This field will be enabled only when Parse as Blocks checkbox is selected)

^snmp-server community .*

Condition Match Criteria

Operator

Matches the expression

Value

snmp-server community (.*)

Action Details Select Match Action

Select Action

Continue

Select Does Not Match Action

Select Action

Does Not Raise a Violation

Condition 2

Condition Details Condition Scope Details

Condition Scope

Previously Matched Blocks

Block Options

Block Start Expression

(This field will be enabled only when Parse as Blocks checkbox is selected)

^snmp-server community .*

Condition Match Criteria

Operator

Matches the expression

Value

snmp-server community ((public RO)|(private RW))

Action Details Select Match Action

Select Action

Continue

Select Does Not Match Action

Select Action

Raise a Violation

Violation Message Type

User Defined Violation Message

Violation Text

Detected unauthorized community string <1.1>.


Note

In the above example, the matching criteria will be termed as 1.1, 1.2, and so on, for first condition. For the second condition, the matching criterial will be termed as 2.1, 2.2, and so on.

Example Conditions and Actions: Community Strings

This compliance policy checks if either snmp-server community public or snmp-server community private is configured on a device (which is undesirable). If it is, the policy raises a violation with the message "Community string xxxxx configured", where xxx is the first violation that was found.

Tab

Tab Area

Field

Value

Condition Details Condition Scope Details

Condition Scope

Configuration

Condition Match Criteria

Operator

Matches the expression

Value

snmp-server community {public|private}

Action Details Select Match Action

Select Action

Raise a violation

Select Does Not Match Action

Select Action

Continue

Violation Message Type

User Defined Violation Message

Violation Text

Community string xxxxx configured.

Example Conditions and Actions: IOS Software Version

This compliance policy checks if Cisco IOS software version 15.0(2)SE7 is installed on a device. If it is not, the policy raises a violation with the message "Output of show version contains the string xxxxx," where xxxx is the Cisco IOS software version that does not match 15.0(2)SE7.

Tab

Tab Area

Field

Value

Condition Details

Condition Scope Details

Condition Scope

Device Command Outputs

Show Commands

show version

Condition Match Criteria

Operator

Contains the string

Value

15.0(2)SE7

Action Details

Select Match Action

Select Action

Continue

Select Does Not Match Action

Select Action

Raise a Violation

Violation Message Type

User Defined Violation Message

Violation Text

Output of show version contains the string xxxxx.

Example Conditions and Actions: NTP Server Redundancy

This compliance policy checks if the command ntp server appears at least twice on the device. If it does not, the policy raises a violation with the message "At least two NTP servers must be configured."

Tab

Tab Area

Field

Value

Condition Details

Condition Scope Details

Condition Scope

Configuration

Condition Match Criteria

Operator

Matches the expression

Value

(ntp server.*\n){2,}

Action Details

Select Match Action

Select Action

Continue

Select Does Not Match Action

Select Action

Raise a violation

Violation Message Type

User Defined Violation Message

Violation Text

At least two NTP servers must be configured.

Create a Compliance Profile That Contains Policies and Rules

A compliance profile contains one or more compliance policies. When you add a compliance policy to a profile, all policy rules are applied to the profile. You can customize the profile by selecting the policy rules that you want to include (and ignoring the others). If you group several policies in a profile, you can check and uncheck the rules for each policy.

If you login as a Root, Admin, or a Super User, you will be able to do the following actions:

  • Create, edit, or delete a profile.

  • Select the rules that are created in the Policies page.


Note
"Other" users must enable the following task permissions to perform the relevant actions:

  • Compliance Audit Profile Access to run the profile, refresh the profile and browse through the policies in the profile.

  • Compliance Audit Profile Edit Access to create and edit a compliance audit profile.

If you do not select the Compliance Audit Profile Access task permission, you will not be able to view the Profile page, even if you have selected the Compliance Audit Profile Edit Access task permission.

Procedure

Step 1

Choose Configuration > Compliance > Profiles.

Step 2

Click the Create Policy Profile (+) icon in the Compliance Profiles navigation area on the left. This opens the Add Compliance Policies dialog box.

Step 3

Select the policies you want to include in the profile. User defined policies will be available under the User Defined category.

  1. In the Add Compliance Policies dialog box, choose the policies you want to add.

  2. Click OK. The policies are added to the Compliance Policy Selector area.

Step 4

Select the rules that you want to include in the policy.

  1. Select a policy in the Compliance Policy Selector area. The policy's rules are displayed in the area on the right.

  2. Select and uncheck specific rules, then click Save.

Note

 
The choices you make here only apply to the policy instance in this profile. Your choices do not modify the original version of the compliance policy.

What to do next

Schedule the compliance audit job as described in Run a Compliance Audit.

Run a Compliance Audit

To run a compliance audit, select a profile, choose the devices you want to audit (using the policies and rules in the profile), and schedule the audit job.

Procedure

Step 1

Choose Configuration > Compliance > Profiles.

Step 2

Select a profile in the Compliance Profiles navigation area on the left.

Step 3

Click the Run Compliance Audit icon in the Compliance Profiles navigation area.

Step 4

Expand the Devices and Configuration area, select the required devices and configuration files that you want to audit.

  1. Select the devices (or device groups).

  2. Specify which configuration file you want to audit.

    • Use Latest Archived Configuration —Audit the latest backup file from the archive. If no backup file is available,Prime Infrastructure does not audit the device.

    • Use Current Device Configuration— Poll and audit the device's running configuration.

      When you select this option, Prime Infrastructure first takes a backup of the configuration from device and then performs audit. This is useful when periodic or event triggered configuration backup is not enabled and also useful because archived configuration in Prime Infrastructure is often out-of-sync with the device.

    Note

     

    If you have specified Device Commands Outputs as Conditional Scope while specifying compliance rules, the show command output will be fetched directly from the device and not from latest or current archived configuraions.

  3. Click Next.

Step 5

Enter a value in the Configure Idle Time Limit (min) field. By default, the time limit is set to 5 minutes. Users can enter a number between 5 and 30 if they wish to change the time limit. The audit job will be aborted if it is idle for the configured time limit.

Step 6

Select Now to schedule the audit job immediately or select Date and enter a date and time to schedule it later.

Use the Recurrence option to repeat the audit job at regular intervals.

Step 7

Click Finish. An audit job is scheduled. A notification pop-up will appear once the audit job is scheduled. To view the status of the audit job, choose Administration > Dashboards > Job Dashboard > User Jobs > Compliance Jobs.

Step 8

You will receive an email after the job completion. The email subject line contains, Hostname: Job type: Profile name: Job status for an audit job and Hostname: Job type: Job status for a fix job. The subject line also contains the subject specified by the user in the Mail Server Configuration screen or the Job Notification Mail screen, if any.

Step 9

You can view the following details in the email triggered for an audit job; Job Name, Job Type, Status, LastRunStatus, PI HostName, PI Host IP, Policy Profile Name, Total Device Count, Audited Device Count, Non-Audited Device Count, and links to verify the profile and job details.

Step 10

You can view the following details in the email triggered for a fix job; Job Name, Job Type, Status, LastRunStatus, PI HostName, PI host IP, and link to verify the job details.

Step 11

You will receive the job details in CSV format as an attachment. The CSV file is not secured with password.

What to do next

Check the audit results as described in View the Results of a Compliance Audit.

View the Results of a Compliance Audit

Use this procedure to check an audit job results. The results will tell you which devices were audited, which devices were skipped, which devices had violations, and so forth. There might be several different compliance policies running on a single device.

After a job is created, you can set the following preferences for the job:

  • Pause Series—Can be applied only on jobs that are scheduled in the future. You cannot suspend a job that is running.

  • Resume Series—Can be applied only on jobs that have been suspended.

  • Edit Schedule—Reschedule a job that has been scheduled for a different time.

Procedure

Step 1

Choose Administration > Dashboards > Job Dashboard > User Jobs > Compliance Jobs.

Step 2

Click the Audit Jobs tab, locate your job, and check the information in the Last Run column.

Last Run Result Value

Description

Failure

One or more devices audited have a violation in the policies specified in the profile.

Partial Success

The compliance job contains a mix of both audited and non-audited devices, and the compliance status of audited devices is successful.

Success

All devices audited conform to the policies specified in the profile.

For a compliance audit job, the number of violations supported is 20000 for Standard setup and 80000 for Pro and above setup of Prime Infrastructure.

Step 3

If the audit check failed:

  • To see which devices failed, hover over the "i" icon next to the Failure hyperlink to display a details popup.
  • Launch a Device 360 view by selecting the job, clicking View Job Details, and clicking the "i" icon next to a device in the popup window.

Note

 

For the compliance job to run successfully during device configuration ensure that the Prompt and the Hostname of the devices are same.

Step 4

For the most detail, click the Failure hyperlink to open the Compliance Audit Violation Details window.

Note

 
Use the Next and Previous buttons to traverse the Compliance Audit Violation Details window.
  • Check the Job Details and Violations area for a summary of the failures. The fields are described in the section Administration > Dashboards > Job Dashboard > User Jobs > Compliance Jobs in Cisco Prime Infrastructure Field Reference.
  • Check the Violations by Device area for per-device details.

What to do next

To fix any of the violations, see Fix Compliance Violations on Devices.

Fix Compliance Violations on Devices

Prime Infrastructure allows you to fix any compliance violations that appear on devices.

Procedure

Step 1

Choose Administration > Dashboards > Job Dashboard > User Jobs > Compliance Jobs.

Step 2

Click Failure under the Last Run Result column for any job in which compliance violations were found. Prime Infrastructure displays the violation status of all policies that were run as part of the compliance audit.

Step 3

Choose a single or multiple Fixable violations in the Violation Details page and click Next.

If you choose all the fixable violations and if the number of fixable violations is more than 15000 then only the first 15000 rows will be selected.

Step 4

Click Save Startup Config and you can select the Copy Running Config to Startup option to copy the running configurationto the startup configuration.

Step 5

Click the expand arrow to view the devices for which the Enter Fix Input option is enabled.

Step 6

Choose the devices for which you want to apply a fix and click Enter Fix Input to enter the details.

Step 7

Click Next.

Step 8

Select the schedule for applying the configuration changes to the device, then click Schedule Fix Job.

Important

 
The Compliance policy will ignore any change request to device OS, family and product to the managed devices which has been added already. It is recommended to delete and re-add the devices during the device migration.

View Violation Summary Details

You can run a report to display the violation summarized details for all the audit jobs that failed. To generate the report, follow these steps:

Procedure

Step 1

Choose Configuration > Compliance > Violation Summary.

The report displays the summarized details of the job failure.

Step 2

You can download the reports in PDF and CSV formats.

You cannot export the following compliance reports if the server memory is less than the configured memory. Also, when one compliance export job is running, you cannot export another compliance report.

  • Violation summary report
  • PSIRT and EOX report (Device PSIRT, Device Hardware EOX, Device Software EOX, Field Notice)
  • Compliance Jobs

    • Audit job failure > Violation details report

    • Audit job success report
    • Fix job success report
    • Fix job failure report

View Violation Job Details

The following table shows the details that can be viewed from the Violation Details page.

To View:

Do the following

The status of scheduled fixable violation jobs.

1. Go to the Violation Details page.

2. Click the Fixable column filter box and choose Running.

The details of Fixed violation jobs.

1. Go to the Violation Details page.

2. Click the Fixable column filter box and choose Fixed.

3. Click the Fixed link.

The details of Fix Failed violation jobs.

1. Go to the Violation Details page.

2. Click the Fixable column filter box and choose Fix Failed.

3. Click the Fix Failed link.

Import and Export Compliance Policies

Compliance policies are saved as XML files. You can export individual compliance policies and, if desired, import them into another server. Files can only be imported in XML format.

Procedure

Step 1

Choose Configuration > Compliance > Policies.

Step 2

To export a compliance policy:

  1. Mouse hover on "i" icon next to the policy in the Compliance Policies navigation area on the left.

  2. In the popup window, click the Export Policy as XML hyperlink, and save the file.

Step 3

To import a compliance policy:

  1. Click the Import Policies icon above the Compliance Policies navigation area on the left.

  2. In the Import Policies dialog box, click Choose Policies.

  3. Browse to the XML file and select it.

  4. Click Import.

  5. Click on the warning icon next to the Import Policies to check the logs for policiies failed to import.

View the Contents of a Compliance Policy XML File

Compliance policies are saved as XML files. To view the contents of a policy's XML file:

Procedure

Step 1

Choose Configuration > Compliance > Policies.

Step 2

Locate the policy in the Compliance Policies navigation area on the left, then hover your mouse over the "i" icon next to the policy.

Step 3

In the popup window, click the View Policy as XML hyperlink. Prime Infrastructure displays the content in XML format.

View PSIRT and EOX Information


Note
The PSIRT and EOX page displays the PAS and RBML bundle generated dates. The PAS report holds the PSIRT and EoX records that are published on or before the bundle generated dates. It will not display the PSIRT records that are published post the bundle generation.

View Device Security Vulnerabilities

You can run a report to determine if any devices in your network have security vulnerabilities as defined by the Cisco Product Security Incident Response Team (PSIRT). The report includes Device PSIRT, Device Hardware EOX, Device Software EOX, Module Hardware EOX and Field Notice information. You can also view documentation about the specific vulnerabilities that describes the impact of a vulnerability and any potential steps needed to protect your environment.


Note
PSIRT and EOX reports cannot be run for specific devices. When you schedule PSIRT and EOX jobs, the report is generated for all devices in Managed and Completed state (on the Inventory > Configuration > Network Devices page).

Before you begin

Sync the devices prior to scheduling the job. Choose Configuration > Network Devices, select the devices, then click Sync.

Procedure

Step 1

Choose Reports > PSIRT and EoX.

Step 2

Schedule and run the job. The Schedule dialog box appears. You can set the Start Time and Recurrence options and then click the Submit button to schedule the job. Click the OK button, in the pop-up that appears, to delete the already scheduled job and create a new one.

A job is created in which Device PSIRT, Device Hardware EOX, Device Software EOX, Module Hardware EOX and Field Notice information is gathered and reported. Separate jobs on each of the tabs need not be created.

Step 3

Click View Job Details to view the current status of the PSIRT report.

Step 4

When the report is completed, click the Device PSIRT tab to view PSIRT information.

Step 5

In the PSIRT Title column, click the hyperlink to view the full description of a security vulnerability.

Step 6

(Optional) You can export the device PSIRT details in PDF and CSV format for each device and for all devices collectively.

View Device Hardware and Software End-of-Life Report

You can run a report to determine if any Cisco device hardware or software in your network have reached end of life (EOX). This can help you determine product upgrade and substitution options.

Procedure

Step 1

Choose Reports > PSIRT and EOX.

Step 2

Click Schedule Job. The Schedule dialog box appears. You can set the Start Time and Recurrence options and then click the Submit button to Schedule the job. Click the OK button, in the pop-up that appears, to delete the already scheduled job and create a new one.

A job is created in which Device PSIRT, Device Hardware EOX, Device Software EOX, Module Hardware EOX and Field Notice information is gathered and reported. You do not create separate jobs on each of the tabs.

Step 3

After the job completes, click one of the following EOX tabs to view the report information specific to that tab:

  • Device Hardware EOX

  • Device Software EOX

  • Module Hardware EOX

Step 4

(Optional) You can export these EOX details in PDF and CSV format for each device and for all devices collectively.

View Module Hardware End of Life Report

You can run a report to determine if any Cisco module hardware in your network have reach edits end of life (EOX).

Procedure

Step 1

Choose Reports > PSIRT and EoX.

Step 2

Click Schedule Job. The Schedule dialog box appears. You can set the Start Time and Recurrence options and then click the Submit button to schedule the job. Click the OK button, in the pop-up that appears, to delete the already scheduled job and create a new one.

A job is created in which Device PSIRT, Device Hardware EOX, Device Software EOX, Module Hardware EOX, and Field Note information is gathered and reported. You do not create separate jobs on each of the tabs.

Step 3

Click the Module Hardware EOX tab to view module hardware information.

The Module PID column displays the PID data. It tends to be a single PID or group of PIDs. In the event of group of PIDs, the end of life details are displayed based on the PID that is mapped to a specific module hardware. Likewise, you cannot map PIDs with different end of life details. You must manually verify the report to map a PID with a specific EOL details. The Module PID column will not display any data if the hardware is not available in the container. The PAS details will not be displayed if the module chassis PID and the sub-modules PID are identical. The fixed modules do not have a PID. Thus, no EOL details will be displayed.

Step 4

(Optional) You can export the module hardware EOX details in PDF and CSV formats for each device and for all devices collectively.

View Field Notices for Device

You can run a report to determine if any Cisco devices that are managed and have completed a full inventory collection have any field notices. Field Notices are notifications that are published for significant issues, other than security vulnerability-related issues, that directly involve Cisco products and typically require an upgrade, workaround, or other customer action.

Procedure

Step 1

Choose Reports > PSIRT and EOX.

Step 2

Click Schedule Job. The Schedule dialog box appears. You can set the Start Time and Recurrence options and then click the Submit button to schedule the job. Click the OK button, in the pop-up that appears, to delete the already scheduled job and create a new one.

A job is created in which Device PSIRT, Device Hardware EOX, Device Software EOX, Module Hardware EOX and Field Notice information is gathered and reported. You do not create separate jobs on each of the tabs.

Step 3

Click the Field Notice tab to view field notice information.

Step 4

Click on the i icon in the Vulnerable column to open the Field Notice URL and Caveat Details dialog box. Click on the Field Notice URL to view more information on cisco.com.

Step 5

(Optional) You can export the device field notice details in PDF and CSV format for each device and for all devices collectively.