Reply

Policy Compliance - Help with the Basics

Posts: 75
2412     0

Hi All,

I am hoping you can help. I am working on creating some rules for a policy.  I am trying to use an example similar to the one on page 342 of the admin guide (see below).

Example from the Admin Guide

Rule: SNMP Community Configuration
If you are making sure that people can access the systems, do not forget about the management software.
Description: Ensures that all SNMP communities are set to the proper setting.
[Config File Must Contain]
snmp-server community r3adc5 RO
snmp-server community wr1t3c5 RW
[Config File May Not Contain]
snmp-server community.*

My Rule

 

My goal was I want to have only 2 ntp servers in my configuration.  If there are any more listed, that is incorrect.  So I created a rule below with two config matches in the rule logic builder

Config File Match - Must Contain All of these lines in any order

ntp server 10.10.10.10 prefer
ntp server 10.10.10.12

Config File Match - May Not Contain Any of these lines

ntp server.*

This doesn't work.  What I mean by that is that even for a valid ntp server entry, the second rule flags it as invalid.  In an effort to try to resolve this, I also refered to the post about negating the commands.  This doesn't work either.

ntp server (?!(10\.123\.123\.15 prefer))
ntp server (?!(10\.123\.123\.23))

What's the trick? 

 

 

Susan,

Adviser
Posts: 453
2412     0

Susan,

Try the following:

Config File Match - Must Contain All of these lines in any order

ntp server 10.10.10.10 prefer

ntp server 10.10.10.12

Config File Match - May Not Contain Any of these lines

ntp server (?!(10.123.123.15 prefer|10.123.123.23))

 

Thanks,

Sif

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

https://sifbaksh.com

Sif,

Posts: 75
2412     0

Sif,

That didn't work either.  It's still matching on the second line. 

There are only two ntp servers in the test configuration file.  When matching against these two rules, it still errors out.  Is there some issue with using test configuration files?

ntp server 10.10.10.15 prefer
ntp server 10.10.10.23

ntp server(?!(10.10.10.15 prefer|10.10.10.23))

I felt that the regular expression should work, but the "not" appears to be the issue?

Do you have more than one 1

Adviser
Posts: 453
2412     0

Do you have more than one 1 and 2 and 3 in this enforece RULE

If you have something like (1 and 2 and 3) or (4 and 5 and 6) I do believe this is a bug and please open a case.

 

Sif

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

https://sifbaksh.com

Sif,

Posts: 75
2412     0

Sif,

Just to wrap up this thread, it was a bug.  After upgrading it worked just fine.

 

Susan

What version were you on and

Adviser
Posts: 453
2412     0

What version were you on and upgrade to Smiley Happy

It might help other here having this process.

Thanks,

Sif

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

https://sifbaksh.com
Showing results for 
Search instead for 
Did you mean: 

Recommended for You