Access Control List Compliance check

Question

Forgive me, but I am a noob to Solarwinds and this topic may be repetitive to some, but the other threads pertaining to the topic are not rendering the desired result. Thus, I thought I would start a more current thread as it pertains to an ACL Compliance check. Moreover, my benchmark is very brief usage of CiscoWorks NCM which did not seem to require many steps to construct an ACL compliance check and provide helpful info as to how something was in violation provided the cause. 
 With Solarwinds, essentially I am trying to establish a compliance check for ACLs that reside on a Cisco ASA. Below are a couple of ACL examples: 
 
 access-list vendor-burgers-client extended permit tcp any4 object-group TheFixings_Resources object-group DM_INLINE_TCP_18 
 OR 
 access-list vendor-wafflecone-client remark b-ups-maplesyrup.whatever.org access-list vendor-wafflecone-client extended permit ip any4 host 172.25.106.20 access-list vendor-wafflecone-client remark WHATEVER access-list vendor-wafflecone-client extended permit tcp any4 host 192.168.5.113 eq https access-list vendor-wafflecone-client extended permit tcp any4 host 192.168.5.129 eq https access-list vendor-wafflecone-client extended permit tcp any4 host 192.168.5.134 eq https access-list vendor-wafflecone-client extended permit tcp any4 host 192.168.10.3 eq www access-list vendor-wafflecone-client extended permit tcp any4 host 192.168.10.3 eq https access-list vendor-wafflecone-client extended permit tcp any4 host 192.168.10.4 eq https access-list vendor-wafflecone-client extended permit tcp any4 host 192.168.10.5 eq https 
 I've tried entering the ACLs one line at a time, which is cumbersome as the ACLs may be change depending on the circumstances. Some of the ACLs we'd like to have a compliance check are lengthy and there are many different ACLs to be checked. 
 
 If there is a different entry within any line of the compliance RULE, then the compliance check report will render a "was not found" statement in the compliance check. This is good to know. 
 
 However, Solarwinds did not indicate a violation if there was an extra line on the ASA itself for a particular ACL, thus one less line to check within the compliance RULE. I hoped there would be an indication of a violation. As it stands now to me, if the line count and substance of the lines between ASA and Compliance rule are the same, no violation. If the line count between ASA and Compliance rule are the same, but the there is character difference say udp vs tcp or a different digit (compliance rule may have a 3 , but on ASA there is a 4 ) within a line, then there is a violation and should be reported which does take place. 
 Additionally, putting the whole ACL in the STRING field has been done, but when there is a violation against the compliance check, it is not immediately known what the exact offense is. 
 
 Is there a better, different, more efficient approach for achieving the following across different ACLs that achieve the following? 
 - ACL order matters - Check if all the required lines are present and syntax match within the ACL - ASA vs Compliance - Check if any required line(s) is/are missing - a violation - Check if any required line(s) are there, but with any extra line(s) - a violation 
 We then implement a daily compliance email report advising if the compliance has passed or failed. If a failure, what's the cause? 
 Your time and helpful feedback is appreciated 
 Thank you.

shyde · Answer

Hi bnocer234, I understand this may not be the solution you are looking for but it does work well for me. 
 My understanding of your requirement is to have an NCM compliance check the ACL and report violation. 
 - ACL order matters - Check if all the required lines are present and syntax match within the ACL - ASA vs Compliance - Check if any required line(s) is/are missing - a violation - Check if any required line(s) are there, but with any extra line(s) - a violation 
 To do this you went through and added each line and it would report which line was in violation but it would not report violation with extra lines so this is not sufficient. 
 I recommend you focus on the violation and less on the it reporting the line number. In my experience it is not often violated on our couple hundred nodes so this is acceptable to manually check the delta when there is a violation and investigate who/what caused it etc. Without this being a requirement you can search with a RegEx match for the entire string of text that you want to match. I recommend RegEx because it is less prone to misses because of spacing. It will show a violation if has any extra lines, omitted lines, sequence of lines or changes to any characters within as you would expect. 
 You noted that you had put the entire string in already and it did work but not immediately known what the violation is. Again I recommend that you take the violations as a reason to investigate. The investigations should not be frequent and doing the comparison should not take more then a minute. 
 If you don't need to investigate when there is a violation then you can simply set the auto-remediate. Either way setup a remediation script which is idempotent to remediate manually or automatically by the NOC after investigation or automatically by Solarwinds. 
 another note you plan to then have a daily compliance email report. Its just a thought but I get too many emails as it is and they can quickly turn to spam. In our deployment we used a widget on the main dashboard to monitor for violations and so as soon as one is detected we act on it as opposed to waiting on a report or generating more email. 
 Hope this helps. Honestly I dont think its possible currently for it to do all of what you want but I recommend you try this and see if it meets your requirements you may be surprised when there is no violations for a long period of time - which is a good thing!