Compliance Check for Things Not in a Config File?

rednarb · ‎10-18-2019

Friends,

Is there a way to do a compliance check on things that are not in a configuration file? For instance on Cisco I need to see that the SNMPv3 user is set up, so I run a command "show snmp user" and look for specific output. Also, I need to make sure the RSA key modulus is 2048 so I have to run (depending on version) "show ssh key". Is there any way to get a compliance report on something like that?

TIA,

Eric

mesverrum · ‎10-19-2019

under the ncm settings you can create new config types. Each config type is really just a set of commands you want it to run and record the output, so i have set up new config types for various show commands i was interested in tracking/parsing.

After you create a custom config type you need to edit the device template for your gear so it knows what command it needs to send when you ask for it to download an "rsa" config.

Then you add that new config type to the backup jobs since the default ones only grab running and startup configs and you can set up new compliance policies that target that specific config type.

- Marc Netterfield, Github

rednarb · ‎10-23-2019

This sounds perfect! Thanks, I'll give it a shot.