Creating compliance rules

A Compliance Policy stipulates conditions that the devices must adhere to. A Compliance Policy contains Compliance Rules and can be configured to send an e-mail action in the event that a policy fails. Compliance Rules enable the user to combine multiple compliance definitions to build the full validation to which a device must adhere in order to pass a compliance test. Use this procedure to create a compliance rule.

Before you begin

To define new Compliance Rules or edit existing Rules, access to the User Interface wizard is required. Compliance Rules can cover all devices in an entire network, a subset of devices or a specific device. In defining Compliance Rules, a user must specify a VTMOS to which devices the Rule applies. It is simple for a user to copy an existing Rule, and modify some its components in order to create a new Rule.

About this task

Follow these steps to create a Compliance Rule.

Procedure

  1. Select CreateRule.

    The Create a Rule window displays. Mandatory fields are denoted by an * (asterisk).

  2. Use the following descriptions as a guide to entering the appropriate information in the Create a Rule window.
    Name
    Specifies the name of the Compliance Rule. The maximum number of characters for the name is 255. This is a mandatory field.
    Description
    Specifies a brief narrative attached to the newly created Compliance Rule that explains its function or use. The maximum number of characters for the description is 4000.
    Revision
    This number is automatically assigned and initially given a value of 1. Each time the Compliance Rule is edited, the revision number automatically increments by 1. This is for versioning control.
    Applicable Device Filter
    This filter allows the ability to select which device VTMOS applies to this rule. As well as drop down selection for VTMOS, a regular expression is supported for all filters. The selected value entered in the Model Filter will be checked against both 'Model' and 'Actual Model' fields (as in the Device Viewer).
    Note: The devices selected in the device filter rule must appropriately reflect the type of devices against which all compliance definitions and remedial actions in the rule can be applied. For example, Juniper routers must not be included if the definitions in a rule are specific to CISCO routers only. If in this example Juniper routers were included in the compliance rule device filter, each of the Juniper routers would fail the compliance evaluation, since the CISCO specific compliance definition would not be found in the Juniper device configuration. On the other hand, if a rule with the device filter is set appropriately is used against a device that is not supported by that rule, the device will be marked NA (not applicable) in the test results.
    Prev
    Go to previous selection.
    Next
    Go to next selection.
    Finish
    Finish current activity.
    Cancel
    Cancel current activity without saving.
  3. Click next to continue.

    The Build Graphical Rule window displays. The Build Graphical Rule window consists of two panes. The left hand side of the screen consists of the Nodes section, which is used to build the rule graphically. The nodes graphically represent the different components that are used to assemble a rule. The right hand side of the screen is the working area, where the nodes are assembled to construct a rule.

  4. Use the following descriptions as a guide to creating the Compliance Rule using the Build Graphical Rule window.
    Start
    The Start Node represents the starting point for the Rule. Each rule must have a Start Node to proceed.
    Definition
    Represents a definition as chosen by the user. The Definition Node is a decision point where an Action may be chosen depending if the outcome of the Definition is true (T) or false (F). Only one definition can be selected per Definition node.
    Compliant
    The Compliant node is connected to either the T or F condition of the Definition Node. This Node represents device compliance.
    Non-Compliant
    The Non-Compliant node is connected to either the T or F condition of the Definition Node. This Node represents noncompliance of devices. A corrective action can be specified in the event that devices are found to be noncompliant.
    Note: Any of the nodes may be removed at any stage in the design of the rule, by right clicking and selecting Delete.
    Connecting lines
    The connecting lines link nodes together. The lines are created by dragging the mouse between two nodes, using the small loop on the node graphic to make the connection as shown. In case adjustment of nodes is required, connecting lines may be removed at any time by right clicking, and choosing delete. A label may also be added to the connecting line.
    Adding Labels
    If the lines are double clicked - the flow properties can be modified, and a label added to the line.
    Prev
    Go to previous selection.
    Next
    Go to next selection.
    Finish
    Finish current activity.
    Cancel
    Cancel current activity without saving.
  5. Drag the Nodes from the resource pane over to the working area and drop in place to compose a graphical rule consisting of T and F conditions.

    When the Definition node is dragged across to the working area, the Select Definition window displays.

  6. You must select one of the previously created Compliance Definitions, or create a new one.
    Note: A user can select multiple definitions into a rule by repeating this step. By connecting the next definition to the True (T) outcome of the previous definition, the user can create AND logic between two definitions. For example, a device is compliant if it passes Compliance Definition 1 AND Compliance Definition 2. By connecting the next definition to the False (F) outcome of the previous definition the user can create OR logic between two definitions. For example, a device is compliant if it passes Compliance Definition 1, OR, if Compliance Definition 1 is not passed, it passes Compliance Definition 2.
  7. When a user drags the Non Compliant node across to the working area, the Select Action window displays. When a definition is non compliant, a corrective action may be applied against the device to bring it back into compliance. Use the following descriptions as a guide to specifying the appropriate corrective action displayed on the Select Action window.
    Remedial Action
    A remedial action may be applied to the device to bring it back into compliance. These corrective actions can be defined in advance or on-demand when a rule is created. A corrective action is defined based on a command set that must have been defined previously in the ITNCM - Base application If a device violates a rule, the corrective action is run against the device by triggering the appropriate command set in ITNCM - Base.
    No action
    No action to be taken.
    OK
    Confirms most recent activity and saves.
    Cancel
    Cancel current activity without saving.
  8. Click Next to continue.

    TheChoose a Save Location window displays.

  9. Navigate through the tree structure, and choose the location where you want to save the newly created Compliance Rule. Otherwise, it is possible to create a new folder from here if required.
  10. Click Finish to complete the creation of the Compliance Rule.

What to do next

The application does not stop the validation process once a Compliant/Non-Compliant verdict has been reached, and will always validate all definitions included in a rule. In other words, even if the first Compliance Definition in the rule already determines the Compliant/Non-Compliant outcome, the application will also present the outcome of another device validation against other Compliance Definitions in the rule.