For anyone interested)

Akin Utku · ‎04-17-2017

Hi guys,
I'm at my wits end about why this isn't working as expected.

I'm trying to create a policy with an input rule that accepts an IP address and places into variable <_Server>

Then the first rule matches the expression "server (\d*\.\d*\.\d*\.\d*)"

The second rule evaluates the expression "<_Server> == <1.1>"

I put in a debug violation message "h<_Server>h server and variable h<1.1>h" both of the variables are the same but regardless this rule does not work as expected. I want to raise a violation for any server that does not match but this just doesn't seem to work.

Am I doing something wrong or is this a bug?

Here's the XML. Also can someone point me to any documentation on how the advanced stuff works? Like functions in the condition match criteria operators?

<Rule identifier="_1_1_6_2_Verify_AAA_Authentication_Settings_11_4_2017_16_46_25">
<Title><![CDATA[1-1-6-2 Verify AAA Authentication Settings]]></Title>
<Description><![CDATA[Verify that the standard AAA policy settings have been applied.]]></Description>
<Impact><![CDATA[N/A]]></Impact>
<SuggestedFix><![CDATA[Apply the correct AAA commands.]]></SuggestedFix>
<VersionSelectorRefs>
<VersionSelectorRef>cisco</VersionSelectorRef>
<VersionSelectorRef>ios</VersionSelectorRef>
<VersionSelectorRef>iosxe</VersionSelectorRef>
</VersionSelectorRefs>
<RuleType>RAW_CONFIG</RuleType>
<Inputs>
<Input identifier="_Server">
<Title>Server</Title>
<DataType>IpAddress</DataType>
<Scalar>true</Scalar>
<Required>true</Required>
<Scope>Execution</Scope>
<CustomConstraint><Access><AccessMode>ReadWrite</AccessMode><Key>false</Key><Required>true</Required></Access><Value><DefaultValue>10.10.10.10</DefaultValue><RegularExpression>(\d*\.\d*\.\d*\.\d*)</RegularExpression><Description>Tacacs server to check for</Description><InputScope>Execution</InputScope><IsLOV>false</IsLOV></Value></CustomConstraint>
</Input>
</Inputs>
<Conditions>
<Condition>
<Type>RAW_CONFIG</Type>
<DisplayString><![CDATA[Configuration must match the expression server (\d*\.\d*\.\d*\.\d*)]]></DisplayString>
<MatchAction>CONTINUE</MatchAction>
<NonMatchAction>RAISE_RETURN</NonMatchAction>
<BlockParams>
<PassCriterion>ALL</PassCriterion>
<RaiseViolationForAllInstances>true</RaiseViolationForAllInstances>
</BlockParams>
<RegexpParams>
<PassCriterion>ALL</PassCriterion>
<RaiseViolationForAllInstances>true</RaiseViolationForAllInstances>
</RegexpParams>
<Severity>3</Severity>
<ViolationMessage><![CDATA[AAA Not configured]]></ViolationMessage>
<Violation>
<Message><![CDATA[AAA Not configured]]></Message>
<Fix><![CDATA[aaa new-model
aaa group server tacacs+ TACACS_AUTH
server ^<_Server>^
aaa authentication attempts login 5
aaa authentication login default group TACACS_AUTH local
aaa authorization console
aaa authorization exec default group TACACS_AUTH if-authenticated]]></Fix>
</Violation>
<SubmodeRegExp><![CDATA[aaa new-model]]></SubmodeRegExp>
<SubmodeEndRegExp><![CDATA[aaa session-id]]></SubmodeEndRegExp>
<Scope>SUBMODE_CONFIG</Scope>
<Operator>MATCHES_EXPRESSION</Operator>
<Value><![CDATA[server (\d*\.\d*\.\d*\.\d*)]]></Value>
</Condition>
<Condition>
<Type>RAW_CONFIG</Type>
<DisplayString><![CDATA[This expression must return false : <_Server> == <1.1>]]></DisplayString>
<MatchAction>CONTINUE</MatchAction>
<NonMatchAction>RAISE_AND_CONTINUE</NonMatchAction>
<BlockParams>
<PassCriterion>ALL</PassCriterion>
<RaiseViolationForAllInstances>true</RaiseViolationForAllInstances>
</BlockParams>
<RegexpParams>
<PassCriterion>ALL</PassCriterion>
<RaiseViolationForAllInstances>true</RaiseViolationForAllInstances>
</RegexpParams>
<Severity>3</Severity>
<ViolationMessage><![CDATA[h<_Server>h server does not match 1.1 h<1.1>h]]></ViolationMessage>
<Violation>
<Message><![CDATA[h<_Server>h server does not match 1.1 h<1.1>h]]></Message>
</Violation>
<Scope>PREVIOUS_SUBMODE_CONFIG</Scope>
<Operator>EVALUATE</Operator>
<Value><![CDATA[<_Server> == <1.1>]]></Value>
</Condition>
</Conditions>
</Rule>

Brett · ‎04-24-2017

Unfortunately from my understanding is that the Rule Input, must either have a default value or a user input value. I believe you can't set a Rule Input value when the compliance job is running.

Just to clarify you are wanting to change the value of <_Server> to whatever <1.1> is correct?

Another thing I was thinking of is you could store the if you are checking two variables, you could pull the other value using matches the expression and then setting them equal to each other to see if the matched.

For example:

<1.1> == < 2.1>

When I tried to do <_Server> == <1.1> without any input the <_Server> variable is just blank.

Akin Utku · ‎04-25-2017

Hi Brett,

I'm basically trying to give an input before the job is run for the correct server to look for <_Server>.

Then verify that the server that is configured on the devices matches <_Server>

There is a happy update to this however. It is a confirmed bug with Cisco. They are fixing it and we'll be testing their fix tomorrow. I'll update. Thanks for looking into it though :)

Akin Utku · ‎04-25-2017

For anyone interested)

This was considered a "Bug" and has two parts.

1) The operator "matches" must be used for any variables in the string format. IP addresses are considered strings by the engine. Valid use for the expression is:

<1.1> matches <2.1>

or

<_YourinputVariable> matches <#.#>

2) When using the "evaluate expression" operator, the scope for the rule incorrectly states "This expression must return false :" (Your expression). This is in fact the opposite and must return true for the match action to be performed.

This issue will be resolved in the next patch along with a better descriptor for the operators that can be used for evaluate expression.

Prime Infrastructure Compliance Policy Conditions and Actions with Input rule and Evaluate Expression doesn't seem to work