Compliance policies overview

Use this information to obtain an overview of the Compliance Administration section of the Netcool Configuration Manager - Compliance UI. The overview provides the relationships between the compliance entities.

Entities interaction and process flow

Compliance Administration refers to the management of compliance entities that require configuration in order for the Netcool Configuration Manager compliance functionality to execute correctly. In addition, Compliance Administration describes the relationship between each of the following compliance entities:

  • Compliance process
  • Compliance policy
  • Compliance definition
  • Compliance rule
  • Compliance action
Each of the compliance entities has an important role to play in the compliance validation process:
  • An event triggers a compliance validation process to run.
  • A compliance process coordinates the execution of all regularly scheduled compliance validations, and can also be used for the ad-hoc validation of a group of policies. A compliance process can be triggered by a number of different events.
  • A compliance policy specifies conditions that the devices must adhere to. A compliance policy describes the validation process in English rather than configuration lines.
  • A compliance definition captures the actual device configuration expected on the device.
  • A compliance rule allows the user to combine multiple compliance definitions to build the full validation, to which a device must adhere in order to pass a compliance test.
  • A compliance extraction has the ability to extract chunks of data from a native/modelled configuration or a show command.
  • A corrective action may be defined for a policy or rule, and specifies the action to be taken if a specific device violates the policy.
  • A policy exemption is available in the event that a device or a number of devices should temporarily be excluded from the execution of a policy.
All of the compliance entities can be maintained in the same way using the Administration window, which is available by right-clicking on any entity type. A selection of folders is displayed for each entity type. For example, right-clicking the compliance policy entity displays the following folders:
  • Open Policy
  • Edit Policy
  • Rename Policy
  • Copy Policy
  • Move Policy
  • Exemptions
  • Disable Policy
  • Delete Policy

A-drag-and-drop functionality is also available to speed up the process of moving a compliance entity from one folder to another.

Compliance process

Compliance processes are a key element of compliance management. Processes are the execution vehicle for all regularly scheduled compliance validations, and can also be used for the ad-hoc validation of a group of policies. A compliance process can contain one or more compliance policies, and can be triggered by a number of different events:
On-demand initiation by a user
An example of this trigger occurs when a user selects a process in the execution tabs and clicks the Execute icon .
Scheduled initiation at a predefined one-off or recurring time
An example of this trigger occurs when a user schedules a process to run all security policies every morning at 5 AM.
Automatic initiation after synchronization
Automatic initiation after a new device configuration has been synchronized.

Compliance policy

A compliance policy stipulates conditions that the devices must adhere to. A compliance policy contains compliance rules and can be configured to send a notification or an email action in the event that a policy fails. Compliance policies can cover all devices in an entire network, a subset of devices or a specific device. A compliance policy describes the validation process in English rather than configuration lines.

Compliance definition

Compliance definitions capture the device characteristics that must be validated as part of a specific policy. The device settings can be evaluated using the stored device configuration (both CLI and XML configuration representations can be used), or by executing show commands against the device The scope of a compliance definition may range from a single configuration line that must evaluated to a complex evaluation of multiple configuration snippets with regular expression logic and parameters.

There are four different compliance definition formats to choose from:
Compliance definition using native CLI configuration lines
A compliance definition may contain one or more native command lines (CLI) and use evaluation criteria to match these CLI lines against the device configuration stored in the compliance database, which are automatically synchronized each time the configuration changes. The evaluation criteria set as part of this type of a compliance definition define whether the CLI lines are or are not expected to be present in the device configuration. When multiple configuration snippets have been defined, the evaluation criteria can also be used to define whether all, any, one or none of these snippets must be present in the configuration. Examples of evaluations which could be used are: no cdp run, no ip bootp server.
Compliance definition using native commands
Compliance definitions may contain a native (show) command that can be issued against the device to retrieve specific information from the device that is not available in the configuration itself. These definitions contain not only the native command that must be issued to the device, but also define the results that should (or should not) be present in the information returned from the device. The show commands are executed against the device(s) via Netcool Configuration Manager - Base, and the response read into Netcool Configuration Manager - Compliance. Using the evaluation criteria as described before, the response from the show command is evaluated against the expected results defined in the definition.
Note: Compliance definitions that contain native CLI can be used only to compare against the running configuration.
Compliance definition using a device model
Modeled definitions are based on modeled device configurations. Modeled definitions are all based on XPaths. An XPath is a search mechanism used in XML, and models an XML document as a tree of nodes. There are different types of nodes, including element nodes, attribute nodes and text nodes. Direct XPaths and Contextual XPaths are supported in definitions. A Direct XPath is used in a simple definition, where only one entity is being searched for. A Contextual XPath should be used in more complex compliance policies, for example to loop through all FastEthernet interfaces defined on a device.
Compliance definition using a script
Compliance definitions can be created using JavaScript. Script-based definitions allow the user to compose their own validation logic and hence are in full control of what they are trying to validate.
For more information on using scripts, see the related links.

Compliance rules

Compliance rules enable the user to combine multiple compliance definitions to build the full validation to which a device must adhere in order to pass a compliance test. Each compliance definition in a rule constitutes a Boolean logic validation with a 'True' or 'False' outcome. By connecting different definitions a user can define 'And' and 'Or' logic between those definitions. A compliance Rule also defines the device applicability of the rule and its underlying compliance definition components, as well as the remedial action that must be executed when a device is found that violates the rule. The entire rule logic of a compliance Rule can be viewed at a glance. Therefore, it is easy to determine how the Rule works, how to isolate problems, and identify areas for improvement or expansion. The triggering event, decision points and the end point of the procedure can all be defined using the drag and drop graphical user interface (GUI) environment. The GUI environment consists of a work pane where the compliance Rule is built, and resource pane from where the user can select the steps and decision points required.

The rule begins with the "Start" node, and then moves on to the "Definition" node. At this point the outcome of the definition chosen may be either T (True) or F (False). If the result of this definition is T, the device is deemed to be compliant. Else, it is considered to be noncompliant, and may then be associated with a corrective action to bring back into compliance.

Compliance action

Netcool Configuration Manager - Compliance simplifies the task of ensuring policy compliance, by enabling users to improve the detection of network vulnerabilities. When a compliance violation has been identified, remedial action processes may be used to correct device configurations or informational actions can be used to alert the appropriate personnel of the compliance violation. A compliance violation is an infringement of the policy that applies to a specific device. A corrective action can be declared for a policy, and specifies which action should be taken if a device violates the policy. When a compliance violation has been identified, a corrective action is applied.

Compliance violation

A compliance violation is an infringement of the policy that has been declared for a device. Details of a compliance violation can be viewed by selecting the appropriate policy on the home page or results page and clicking the 'Details" function, or by performing a results search, which is also executed from the Results tab. A compliance violation is identified as a FAIL result. Following the identification of a compliance violation a corrective action may be applied if it has been specified and if it is applicable.

Compliance extractions

Compliance extractions are a compliance component whereby specific chunks of data can be extracted from the native or modelled configuration or a show command. Compliance extractions are currently only used in conjunction with compliance definitions. An extraction is used within a definition where you want to use the extracted data as part of the definition. There is no restriction on the type of extraction you can use, for example, a native extraction can be used within a modelled definition. From within the definition wizard select the Parameter Type combo box, and then click Extraction. A list of available extractions will appear and once an extraction is selected, select 'Insert' to insert into the evaluation box. Only one extraction per evaluation is permitted.

There are three compliance extraction types to choose from:
Compliance extraction using native CLI configuration lines
A compliance extraction is very similar to a native definition. However, in the case of an extraction using native CLI configuration lines, a specific piece of data can be extracted from the matching CLI line or lines as specified in the extraction criteria.
Compliance extraction using native commands
In the compliance extraction using native commands option, a specific piece of data can be extracted from the matching native (show) commands as specified in the extraction criteria. The native commands are used for the search data and not the native configuration.
Compliance extraction using a device model
Modeled extractions are based on modeled device configurations. Modeled extractions use XPaths. An extraction XPath can be constructed to extract a certain piece of data from the modelled configuration.

Corrective action

It is possible to associate multiple actions to a policy in the event of a violation. A corrective action can be classified as follows:
Compliance policy level actions
A compliance policy level action is an informational action that applies to all rules in a policy and is therefore selected at the policy level. A user can define two types of informational actions: email and notification. A user can associate an informational action to a policy during the initial definition or modification of a policy. To make it easier to create an email or notification action, use the following templates:
  • Email template:
    An email message can be constructed using the template provided by Netcool Configuration Manager - Compliance. Recipients shall receive a comprehensive message detailing the cause of compliance violation and which devices were affected by it. The email template consists of an email header and an email body. The email header includes the fields To, Cc, Bcc, and Subject as a normal email would contain. The email body is free-text and can be used to add any comments as required. By default, the body of the email will also include the name of the policy that was violated, name of Process that is affected and the user who executed the policy. This will then be followed by a complete listing of all devices that caused the compliance violation.
    The following is an example of an email message:
    From: ComplianceManager@BFSSUN12 
[mailto:ComplianceManager@BFSSUN12]
Sent: 01 January 2019 15:11
To: Emma Thompson
Subject: test
test
Policy name: tester Process name: AdHoc_2019-01-01 15:09:36 
Executed by: ComplianceManager
IBM/6506erma.IBM.test
IBM/emu2_001
IBM/emu2_002
IBM/emu2_003
IBM/emu2_004
IBM/emu2_005
IBM/emu2_006
IBM/emu2_007
IBM/emu2_008
IBM/emu2_009
  • Notification template
Compliance rule level actions
A compliance rule level action is a remedial action that is specific to one or more device types and is therefore implemented at the rule level. A user defines a remedial action by using a command set. A user can also choose to define a remedial action with a no action taken in the event of a compliance violation. A user can associate an informational action to a policy during the initial definition or modification of a policy.
  • Defines a remedial action by using a command set and associating the remedial action to a specific rule in a policy
  • Choose to define a remedial action with no action taken in the event of a compliance violation
  • Associate a remedial action to a rule during the initial definition or modification of a rule

Remedial action

A remedial action is a procedure specified in the event that a device violates a policy. A remedial action executes a command set against device configurations, and brings the device back into compliance. A remedial action defined in Netcool Configuration Manager - Compliance creates a UOW in Netcool Configuration Manager - Base, which executes the specified command set against the violating device. This alters the device configuration so that the violation is removed.

The command set used in a remedial action can be native or modeled, and must be set up in Netcool Configuration Manager - Base first. From here they will be synchronized automatically to the Netcool Configuration Manager - Compliance application.

Therefore, to manage command sets the appropriate permissions must be given in the Netcool Configuration Manager - Base application. In complete lockstep with the command set that they invoke in Netcool Configuration Manager - Base, remedial actions are specific to a defined set of VTMOS combinations and are therefore selected as part of a compliance rule. The remedial action required can be selected from a list of command sets (native or modeled) that have been synchronized from Netcool Configuration Manager - Base.

Note: Parameters can be used to pass information from a policy to a remedial action. However, in order for this capability to function properly the user must ensure that parameter names are identical between policy and command set.
Note: Before a corrective action can be created in Netcool Configuration Manager - Compliance, the command set must have been created in Netcool Configuration Manager - Base, and have synchronized with the Netcool Configuration Manager - Compliance application.
Note: You can elect that no action is to be taken in the event of a compliance violation.