Creating compliance definitions using a 'device-specific' golden configuration

Use this procedure to modify compliance definitions using a 'device-specific' golden configuration.

About this task

Device-specific golden configuration definitions are used to configure compliance checks on the differences between the device-specific golden and the current configurations for the same device. Two pre-defined device-specific golden configuration definitions are delivered with Netcool Configuration Manager, installed under the ‘Examples/GoldenConfiguration’ realm as a post installation task. One for each mode, they are:
Non-strict mode
NonStrictDeviceSpecificGolden
Strict mode
StrictDeviceSpecificGolden
Per default, the strict definition provided as an example is set to non-Strict.
Important: If strict mode is required, you must change this by editing the definition in the Netcool Configuration Manager - Compliance GUI, as described in What to do next.

These two definitions can cover all device-specific golden configuration definition handling, and they can be re-used in multiple Definition/Rule/Policy/Process combinations. If required, these definitions can be copied and edited in the GUI, but not created.

As part of the same post-installation task a default Rule/Policy combination that uses these definitions is created. The ‘Non Strict’ definition will produce an evaluation failure if a command in the device-specific configuration is changed or removed in the current configuration. The ‘Strict’ definition will produce the same failures as ‘Non Strict’, and in addition it will produce an evaluation failure if a command is changed or added in the current configuration. In other words, ‘Strict’ mode performs a cross-check from 'current' against 'device-specific golden', and vice versa. ‘Non Strict’ only checks 'device-specific golden' against current.

For example, if between the device-specific golden and current versions command A is added, command B is changed, and command C is removed, the following evaluation failures will be produced:
NonStrictDeviceSpecificGolden failures
A failure for the version of command B in the device-specific golden configuration
A second failure for command C in the device-specific golden configuration
StrictDeviceSpecificGolden failures
Both device-specific golden configuration failures as above.
A third failure for the version of command B in the current configuration
A fourth failure for command A in the current configuration

The additional evaluations produced as a result of the strict mode will have the following line in the evaluation result:

This evaluation XPath was generated as a result of 'Strict mode' being set and compares elements in the current configuration against those in the 'device-specific' configuration.

Instead of specifying evaluations in the definition, device-specific golden definition evaluations are generated 'on the fly' when compliance is running, based on the current and device golden smart-modeled configurations of the target device. This allows for simplified handling, as definitions do not have to be created for each device with a device-specific golden configuration specified. The evaluations automatically generated are based on XPaths,which require smart-modeled configurations.
Note: An XPath is a search mechanism used in XML, and models an XML document as a tree of nodes.
An example could be a hundred devices with device-specific golden configurations specified in a particular realm. In order to run device-specific golden compliance on all of these, the realm could just be included in the scope of a compliance process that contains one of the pre-defined policies delivered with Netcool Configuration Manager, such as the Examples/GoldenConfiguration/NonStrictDeviceSpecificGolden policy. When the process is run, compliance will automatically create and execute evaluations for each of the hundred devices.
Non comparable values
  • Certain values in a configuration can be expected to be different between configuration versions, for example a timestamp or password value. These types of values are identified in the Driver schema for the device, and assigned a ‘NonComparable’ attribute. If a field is marked as ‘Non Comparable’, differences in the field values will not produce an evaluation failure. The evaluation will contain the wildcard (*) to accept all values. If a field value has been wild-carded due to a ‘NonComparable’ attribute, this will be indicated in the evaluation result with the following line:

    Elements in the Evaluation XPath have been wildcarded due to the presence of a NON_COMPARABLE attribute on that element in the Driver schema.

    Note: A new XML file is now delivered with the Drivers in order to support the ‘NonComparable’ checking. If the file is not present, an updated driver must be installed.
Evaluation Criteria
Device-specific evaluations are not defined via, or visible in, the Compliance Definition GUI. When generated at compliance execution, they have the following test criteria:
Test Condition
Present in config
Match Criteria
Match All
Evaluation result if context not found
Fail
The evaluation list criteria will be ‘Match All’. (Match All evaluations added to the Compliance Definition).
The generated evaluations will be 'Defined' XPath evaluations, and will have same default variable details as seen in the GUI when creating an evaluation in, for example, a smart model definition. The generated evaluations will not have parameters.
Tip: You can copy an existing definition and modify its components to create a new definition.

Procedure

  1. To import the provided Strict or Non-Strict device specific definition, run the following command.
    Note: You perform this step after any installation and database upgrade steps are completed.
    cd <install_dir>/compliance/db/export/policies
<install_dir>/compliance/bin/utils/policyImport.sh DeviceSpecificGoldenExamples.zip
  2. Right-click an existing device-specific definition, and click Edit Definition.
    The Edit Definition window is displayed.
  3. Enter a brief Description that will be attached to the compliance definition to explain its function and use.
    The maximum number of characters is 4000.
    Note: For version control, a Revision number is automatically assigned and initially given a value of one. Each time the compliance definition is edited, the revision number increments. The revision changes only if the entity is active.
  4. In the list of compliance definition types, only the Create Compliance Definition using a device-specific Golden Configuration radio button is enabled, and preselected.
    Note: You can navigate using the Rev, Next, Finish, and Cancel buttons.
  5. Click Next.
    The Enter device-specific Golden Config window displays.
  6. Optional: Select the Strict checkbox if strict mode is required.
  7. Click Next to continue to the Choose a Save Location window.
  8. Navigate through the tree structure, and choose the location to which you want to save the Compliance Definition. Otherwise, it is possible to create a new folder from here if required.
  9. Click Finish to complete the creation of the Compliance Definition.

What to do next

You can create another Compliance Definition using a device model, by following the instructions in this procedure.

To set the Strict example definition provided in the /opt/IBM/tivoli/netcool/ncm/compliance/db/export/policiesDeviceSpecificGoldenExamples.zip file to Strict, complete the following steps:
  1. In the Netcool Configuration Manager - Compliance GUI, select the Definitions tab.
  2. Browse to the StrictDeviceSpecificGolden compliance definition, right-click it, then select Edit Definition. The Enter Definition Details dialog box is displayed.
  3. Click Next to advance to the Enter Device Specific Golden Config Details dialog.
  4. Select the Strict mode option, and click Next.
  5. In the Choose Save Location dialog, leave the default save location unchanged. and click Finish.