Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2363
Views
5
Helpful
3
Replies

Prime compliance audit

Thomas Schmitt
Level 1
Level 1

‎01-30-2016 03:04 AM

Hello,

i need some help by creation of a compliance audit job on PI 3.0. Probably i misunderstand some point, can you please take a look?

To be clear, this is just an example, so i don't need a workaround for this case, rather I'm going to configure a lot of checks in simular way.

In this example, I would like to check this configuration block:

aaa group server tacacs+ TACACS-SERVER
 server name TACACS-SERVER-1
 server name TACACS-SERVER-2
 ip tacacs source-interface Vlan999
!

So I created a new policy and added "aaa" rule for IOS.

Condition 1 should select the "aaa group server tacacs" block:

RegEx test is fine:

Condition 2 should count tacacs servers in the tacacs group:

 RegEx test is also fine:

So I got this 2 conditions:

Condition 1 should select "aaa group server tacacs" block or Raise a Violation and stop.

Condition 2 is checked only, if 1 could select the block. Here i check, if there are exactly 2 servers, otherwise Raise a Violation 

But it dosn't work like this! I did some tests with this rule (on saved configuration, all other rules are disabled) and the audit job succeeded every time, with any configuration. For example was for a device with this legacy TACACS configuration no violation raised, there wasn't aaa server group at all!

tacacs-server host 10.1.1.1
tacacs-server host 10.1.1.2
tacacs-server directed-request

Can someone please help me to understand the problem? What do I do wrong?

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎02-01-2016 01:24 AM

Hey

Just an option this is the way I do it and it works , avoid reg expressions just use the command syntax match against the string instead its easier and you can raise violations alarms against it , then you can run a config change against all those devices to remove old config

Preview file
19 KB
Preview file
21 KB
Preview file
30 KB
0 Helpful

steffen.bodensohn
Level 1
Level 1

‎10-12-2016 10:17 AM

Hi Thomas,

I tested around with block parsing and figured out the situation is as following:

The block means that the configuration can only fail when a block exists. 

In your example when you define a block start as following: 

(aaa group server tacacs)

and your device is instead configured as:

tacacs-server host 10.1.1.1
tacacs-server host 10.1.1.2
tacacs-server directed-request


Prime can not find the block and succeeds.

Best regards,

Steffen

mifi
Level 1
Level 1

‎11-07-2017 01:54 AM

Hi Thomas,

I struggled with the same issue and finally I found that you problem is the "Block Start Expression". I had the same working for the RADIUS definition, but the TACACS definition includes the plus which has to be escaped, since the expression is evaluated as RegEx. When you enter "aaa group server tacacs\+ .*" as block start it will work.

Regards
Michal
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents