Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

Register Now

Network Change & Configuration Management

Reply
Accepted Solution

Policy compliance and lists
cshaad123
cshaad123
Techie
Posts: 9

‎01-16-2017 11:08 AM

6542     0

I have read over the "Using List Searches" XML example in the NetMRI documentation, but my use case for wanting a list in policy compliance is a bit different.  Instead of searching the list, I would like to search the config for matches on the list.  My example would be a list of ip addresses, and ensuring that each of these IP addresses are on an access list in the config.  Can you use a list in such a way?  Let me know if you need any clarification, thanks!

 

-Chris

Labels:
Reply
0 Kudos

Re: Policy compliance and lists
JBelamaric
Adviser
Posts: 353

‎01-16-2017 11:26 AM

6542     0
Yes. First, create a list with the column you want plus a column ”Status” or something like that, which will contain ”Active” or ”Inactive” for each list item (or you could use Category if there are different sets of data). Then, in the ListSearch, you search only the Status column for Active records. You’ll get an array with all Active rows (IPs or whatever). Then:

1) You could use the list to construct the search string that you then use in a ConfigFileCheck. You can use the array join operator to make a big regular expression.
2) You could loop through and do a ConfigFileCheck for each entry in the list.

Alternatively you can just use a regexp match instead of ConfigFileCheck, but if the ConfigFileCheck will, for example, tell you want line the match is on.

John
Reply

Re: Policy compliance and lists
cshaad123
cshaad123
Techie
Posts: 9

‎01-16-2017 01:13 PM

6542     0

Thanks for the quick response!  Is there a good resource for some examples of different policies in XML?  Or can you give a quick example of using ForEach to parse through the array returned by the list search?  I'm quite versed in Python, but completely new when it comes to using XML.  Thanks!

Reply
0 Kudos

Re: Policy compliance and lists
JBelamaric
Adviser
Posts: 353

‎01-16-2017 01:40 PM

6542     0
Take a look in the policy directory in this GitHub repo:

https://github.com/infobloxopen/netmri-toolkit

There are a couple examples in there.
Reply
0 Kudos
Highlighted

Re: Policy compliance and lists
cshaad123
cshaad123
Techie
Posts: 9

‎01-16-2017 03:16 PM

6542     0

Thanks, also actually looking at the XML schema was very helpful.  I got the basic idea working (pasted below), but to just add to my learning, what would be the best way to

 

1. make sure the entries are in the same order as the list

2. make sure there are no extraneous entries on the list

 

Concatenating the array beforehand and looking for one chunk would solve both issues, just wondering if there is any way to do it while looping in the way below.  Just trying to learn all the options available, thanks!

 

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Expr op='array' output='missing_ips'/>
  <ListSearch list-name='0-ACL-37' result-columns='ip' result-mode='all' search-columns='status'>
    <Expr value='active'/>
  </ListSearch>
  <ForEach>
    <Expr variable='ip'/>
    <Do>
      <If>
        <ConfigFileCheck op='contains-one'>
          <Expr op='concat'>
            <Expr value='^access-list 37 permit '/>
            <Expr variable='_loop_value'/>
          </Expr>
        </ConfigFileCheck>
        <Then>
        </Then>
        <Else>
          <Expr op='push'>
            <Expr variable='missing_ips'/>
            <Expr variable='_loop_value'/>
          </Expr>
        </Else>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op='!='>
      <Expr op='size'>
        <Expr variable='missing_ips'/>
      </Expr>
      <Expr value='0'/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op='concat'>
          <Expr>These IPs are missing from SNMP access: </Expr>
          <Expr op='join'>
            <Expr variable='missing_ips'/>
            <Expr value=', '/>
          </Expr>
          <Expr value='.'/>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>The switch has all of the correct SNMP access entries.</PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>
Reply
0 Kudos

Re: Policy compliance and lists
Dave_Signori
Moderator Dave_Signori
Moderator
Posts: 62

‎01-17-2017 04:34 AM

6543     0

In the github location John pointed out, a specific example that may help is the verify-users.xml rule which uses the valid_users.csv list.  It is a good example of looking up on the config to verify there are no list entries present and looking up on the list to ensure they all exist in the config.

 

https://github.com/infobloxopen/netmri-toolkit/tree/master/policy

@DaveSignori
Reply

Re: Policy compliance and lists
cshaad123
cshaad123
Techie
Posts: 9

‎01-17-2017 09:27 AM

6543     0

Great, thats a good one (and that is the way I ended up doing it yesterday before checking that out).  

 

Not sure if I should put this one in a different thread, but can someone explain the match variables?  I see in that example there is _start_match_1.  Looking at another example I was trying to use _match_1, but that wasn't working, though using _match_0 did the trick.  (In both my script and the example it seemed like that would have been the very first match.)

 

Thanks for any clarity on that one!

Reply
0 Kudos

Re: Policy compliance and lists
JBelamaric
Adviser
Posts: 353

‎01-17-2017 10:18 AM

6543     0

Yes, this really should be explained in the online help but I didn't see it there.

 

If you have a regular expression match like this:

 

...
<Expr op='matches'>
   <Expr value='myfoobar barfoo123'/>
   <Expr value='foo(bar)? ([a-z]+)'/>
</Expr>
...

it will return true (unless I have a typo), and it will set the following global _match variables:

 

_match_pre - the text before the match, in this case "my"
_match - the entire match, in this case "foobar barfoo"
_match_0 - same as _match
_match_1 - the first capture (ie, in parentheses) match, in this case 'bar'
_match_2 - the second capture, in this case 'barfoo'
_match_post - the text after the match, in this case '123'
_match_array - an array where element 0 is _match_0, element 1 is _match_1, etc.

Of course if you have more than two capture groups, you'll get one _match_X for each.

 

In the ConfigBlockCheck, you can access the _start_match variables that are the result of the match in the starting regexp of the block, and in the case of the regexp block end method, you can access _end_match variables.

 

Reply
0 Kudos

Re: Policy compliance and lists
JBelamaric
Adviser
Posts: 353

‎01-17-2017 10:19 AM

6543     0

Note that these _match variables are global and are set on every regular expression evaluation so you'll need to save them off if you need them later.

 

Reply
0 Kudos
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Do you mean 

Recommended for You

Latest Annoucements

Infolbox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community