Reply
Accepted Solution

Policy compliance and lists

cshaad123
Techie
Posts: 9
6328     0

I have read over the "Using List Searches" XML example in the NetMRI documentation, but my use case for wanting a list in policy compliance is a bit different.  Instead of searching the list, I would like to search the config for matches on the list.  My example would be a list of ip addresses, and ensuring that each of these IP addresses are on an access list in the config.  Can you use a list in such a way?  Let me know if you need any clarification, thanks!

 

-Chris

Re: Policy compliance and lists

Adviser
Posts: 357
6328     0
Yes. First, create a list with the column you want plus a column ”Status” or something like that, which will contain ”Active” or ”Inactive” for each list item (or you could use Category if there are different sets of data). Then, in the ListSearch, you search only the Status column for Active records. You’ll get an array with all Active rows (IPs or whatever). Then:

1) You could use the list to construct the search string that you then use in a ConfigFileCheck. You can use the array join operator to make a big regular expression.
2) You could loop through and do a ConfigFileCheck for each entry in the list.

Alternatively you can just use a regexp match instead of ConfigFileCheck, but if the ConfigFileCheck will, for example, tell you want line the match is on.

John

Re: Policy compliance and lists

cshaad123
Techie
Posts: 9
6328     0

Thanks for the quick response!  Is there a good resource for some examples of different policies in XML?  Or can you give a quick example of using ForEach to parse through the array returned by the list search?  I'm quite versed in Python, but completely new when it comes to using XML.  Thanks!

Re: Policy compliance and lists

Adviser
Posts: 357
6328     0
Take a look in the policy directory in this GitHub repo:

https://github.com/infobloxopen/netmri-toolkit

There are a couple examples in there.

Re: Policy compliance and lists

cshaad123
Techie
Posts: 9
6328     0

Thanks, also actually looking at the XML schema was very helpful.  I got the basic idea working (pasted below), but to just add to my learning, what would be the best way to

 

1. make sure the entries are in the same order as the list

2. make sure there are no extraneous entries on the list

 

Concatenating the array beforehand and looking for one chunk would solve both issues, just wondering if there is any way to do it while looping in the way below.  Just trying to learn all the options available, thanks!

 

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Expr op='array' output='missing_ips'/>
  <ListSearch list-name='0-ACL-37' result-columns='ip' result-mode='all' search-columns='status'>
    <Expr value='active'/>
  </ListSearch>
  <ForEach>
    <Expr variable='ip'/>
    <Do>
      <If>
        <ConfigFileCheck op='contains-one'>
          <Expr op='concat'>
            <Expr value='^access-list 37 permit '/>
            <Expr variable='_loop_value'/>
          </Expr>
        </ConfigFileCheck>
        <Then>
        </Then>
        <Else>
          <Expr op='push'>
            <Expr variable='missing_ips'/>
            <Expr variable='_loop_value'/>
          </Expr>
        </Else>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op='!='>
      <Expr op='size'>
        <Expr variable='missing_ips'/>
      </Expr>
      <Expr value='0'/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op='concat'>
          <Expr>These IPs are missing from SNMP access: </Expr>
          <Expr op='join'>
            <Expr variable='missing_ips'/>
            <Expr value=', '/>
          </Expr>
          <Expr value='.'/>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>The switch has all of the correct SNMP access entries.</PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

Re: Policy compliance and lists

Moderator Dave_Signori
Moderator
Posts: 117
6328     0

In the github location John pointed out, a specific example that may help is the verify-users.xml rule which uses the valid_users.csv list.  It is a good example of looking up on the config to verify there are no list entries present and looking up on the list to ensure they all exist in the config.

 

https://github.com/infobloxopen/netmri-toolkit/tree/master/policy

@DaveSignori

Re: Policy compliance and lists

cshaad123
Techie
Posts: 9
6328     0

Great, thats a good one (and that is the way I ended up doing it yesterday before checking that out).  

 

Not sure if I should put this one in a different thread, but can someone explain the match variables?  I see in that example there is _start_match_1.  Looking at another example I was trying to use _match_1, but that wasn't working, though using _match_0 did the trick.  (In both my script and the example it seemed like that would have been the very first match.)

 

Thanks for any clarity on that one!

Highlighted

Re: Policy compliance and lists

Adviser
Posts: 357
6328     0

Yes, this really should be explained in the online help but I didn't see it there.

 

If you have a regular expression match like this:

 

...
<Expr op='matches'>
   <Expr value='myfoobar barfoo123'/>
   <Expr value='foo(bar)? ([a-z]+)'/>
</Expr>
...

it will return true (unless I have a typo), and it will set the following global _match variables:

 

_match_pre - the text before the match, in this case "my"
_match - the entire match, in this case "foobar barfoo"
_match_0 - same as _match
_match_1 - the first capture (ie, in parentheses) match, in this case 'bar'
_match_2 - the second capture, in this case 'barfoo' _match_post - the text after the match, in this case '123'
_match_array - an array where element 0 is _match_0, element 1 is _match_1, etc.

Of course if you have more than two capture groups, you'll get one _match_X for each.

 

In the ConfigBlockCheck, you can access the _start_match variables that are the result of the match in the starting regexp of the block, and in the case of the regexp block end method, you can access _end_match variables.

 

Re: Policy compliance and lists

Adviser
Posts: 357
6329     0

Note that these _match variables are global and are set on every regular expression evaluation so you'll need to save them off if you need them later.

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You