01-30-2016 03:04 AM
Hello,
i need some help by creation of a compliance audit job on PI 3.0. Probably i misunderstand some point, can you please take a look?
To be clear, this is just an example, so i don't need a workaround for this case, rather I'm going to configure a lot of checks in simular way.
In this example, I would like to check this configuration block:
aaa group server tacacs+ TACACS-SERVER
server name TACACS-SERVER-1
server name TACACS-SERVER-2
ip tacacs source-interface Vlan999
!
So I created a new policy and added "aaa" rule for IOS.
Condition 1 should select the "aaa group server tacacs" block:
RegEx test is fine:
Condition 2 should count tacacs servers in the tacacs group:
RegEx test is also fine:
So I got this 2 conditions:
Condition 1 should select "aaa group server tacacs" block or Raise a Violation and stop.
Condition 2 is checked only, if 1 could select the block. Here i check, if there are exactly 2 servers, otherwise Raise a Violation
But it dosn't work like this! I did some tests with this rule (on saved configuration, all other rules are disabled) and the audit job succeeded every time, with any configuration. For example was for a device with this legacy TACACS configuration no violation raised, there wasn't aaa server group at all!
tacacs-server host 10.1.1.1
tacacs-server host 10.1.1.2
tacacs-server directed-request
02-01-2016 01:24 AM
Hey
Just an option this is the way I do it and it works , avoid reg expressions just use the command syntax match against the string instead its easier and you can raise violations alarms against it , then you can run a config change against all those devices to remove old config
10-12-2016 10:17 AM
Hi Thomas,
I tested around with block parsing and figured out the situation is as following:
The block means that the configuration can only fail when a block exists.
In your example when you define a block start as following:
(aaa group server tacacs)
and your device is instead configured as:
tacacs-server host 10.1.1.1
tacacs-server host 10.1.1.2
tacacs-server directed-request
Best regards,
Steffen
11-07-2017 01:54 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide