Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Creating rules through NCM Policy

I have been looking for a place where we can share rules for policies created for NCM. I have been trying to create one such policy where it detects if port security is enabled on all switch ports, not trunks. If anyone can help out here it would be a great +. I know there was a previous thread about STIGs for the government and I think that is going to take a while, so why don't we start sharing some of those STIG implementations to help each other out. Thanks for the assistance.

Find more posts tagged with

disa_stig

Compliance

Accepted answers

All comments

MarieB

Hi DMJ--

Did you get the information you needed? Have you tried looking at the NCM area of the Content Exchange?

FormerMember

I am still looking and have not found anything. I did look in the NCM Content Exhange but nothing besides the complex SQL's. If you know of anything to help me out please let me know. Thank you..

rkearney

Does anyone know how to do this? I'm looking for this rule.

FormerMember

Make a config block based on a multiline regex

Then look for what you want after you have the mulitline regex config block working.

If you paste an example block of what you WANT it to look like, I will type it up and screenshot it for you.

rkearney

I'm trying to build a rule which performs something similar to the above:

Example 1:

A rule which checks that if spanning-tree portfast or storm-control broadcast level 1.00 or Port Security is enabled on all switchports except trunks. (this would be spilt in 3 different rules but the idea would be the same)

interface FastEthernet/GigabitEthernetX/Y

description ABCDEFG [optional]

switchport access vlan Z

switchport mode access

no logging event link-status

no snmp trap link-status

spanning-tree portfast

Another example would be if an interface contains a description called Internet, check that the interface contains ip access-group Internet-in in or ip nat outside.

interface [internet-interface]

description Internet interface (ISP Abcdefg)

ip address x.x.x.x y.y.y.y

ip access-group Internet-in in

ip access-group Internet-out out

ip inspect FW in

ip inspect FW out

ip nat outside

Most of my rules are working but rules like these are difficult and catch me out. (My Regex wouldn't be the best)

Any help would be great.

FormerMember

rkearney, This requires the port not be shut down and as well it gives you an idea of the second rule as to how to require something else as well. I should also explain that you can conditional like this and then follow it all with an OR must not contain whatever the condition was. Let me know if you have any further issues as I feel this should be enough to get you going

rkearney

I never knew you could negate the whole rule. So if I wanted to do something like:

Search for an interface that contains ip nat outside, if so it must contain ip inspect FW in.

Im trying to negate the rule with two OR, 1st must not contain ip nat outside or encapsulation dot1q.

Only seems to work with or ip nat outside. IM getting caught on the encapsulation part as we have mpls interfaces that also have ip nat outside too but we dont use the inspect for these as they are mpls. The others are internet interfaces which we do. It doesnt like the 2nd OR for encapsulation but not too sure why.

FormerMember

rkearney

You need to user parentheses to make make rules inclusive of eachother, like above do you want (rule2 or rule3) or do you want (rule 1 and rule 2) or rule 3 or rule 4. Hopefully this makes sense to you, if not trial an error will probably yield the results. Keep in mind this is just a truth table of AND, OR operations with a resulting 1 or 0 once calculated.

I don't think I can really explain it better as this is one of those things that each person grasps in their own way.

rkearney

Anyone know how to perform a rule for the following on a Cisco Firewall:

ip verify reverse-path interface <ifname>

Check that this command exists for all interfaces on the firewall except the stateful failover interface.

The zone names vary from firewall to firewall.