• State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 25 subscribers
  • Views 893 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

NCM Compliance Policy

aclarkvonmaur

I'm writing several Policies that will check the running configuration of a CISCO router for certain key strings. Depending the policy it will alert me to if the string is present or not. The problem i'm running into however, is that some of the strings do not exist in the standard running config. For instance I want to search for the string Authentication retries: 3. This does not exist in the running config, the only way to see this string is by first typing show ip ssh and then the string is displayed below.

My question is this. Can you design a policy that will first run the show ip ssh command and then look for the Authentication string?

  • 0

    you know that a default rule "Set Authentication Failure Rate ... " exist? You find it in "Manage Rules"

  • 0 in reply to fholzapfel


    Yes, however, when checking against the IOS running config that does not show up unless you first do a show (sub) command first.

  • 0 in reply to aclarkvonmaur

    The Compliance Check are "scanning" the saved config in your directory - so how you can not execute a command.

    But for your example i could help you. Create a compliance rule which alert if the running contains the string "ip ssh authentication-retries" because otherwise your default values matches:

    Unbenannt.PNG

    here is the link to cisco.com: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfssh.html

    kind regards,

    flo

  • 0


    I don't think i'm making myself clear.

    The configuration that Solarwinds is checking is correct. However, in the standard running, start-up configuration the actually string does not exist for authentication retires. In order to actually see this you have to do a "show ip ssh" command fist.

    I wanting to know if you can have Solarwinds run the "sh ip ssh" command then look for the Authentication retries string.

    ch_router#sh ip ssh

    SSH Enabled - version 2.0

    Authentication timeout: 60 secs; Authentication retries: 3

    Minimum expected Diffie Hellman key size : 1024 bits

  • 0 in reply to aclarkvonmaur

    Compliance Policy itself will not do this.  It's method is to check the configuration files that you give it.  In this case, Cisco running configs.  Not to execute commands and tests responses. That is the purpose of other modules in SolarWinds.

       These configurations files (speaking for Cisco devices only) are downloaded when you run an NCM Download config action, which standard is "running"

    So, how could you accomplish this?  A suggestion (it is not the only way)

       Create a new download config type.  Call it ipssh.

       Modify your device type files to include a new config type called ipssh, which instead of "sh run", will execute the "sh ip ssh" command.

       Create a new Config Download job, to pull this new config file. Target your Cisco devices in question.

       Create a Compliance report/policy that targets ONLY the ipssh config type, and search for your line there.

    Drawbacks:

       1)Obviously, you have to configure all this.  Although it really shouldn't be THAT painful to do.

       2)Database storage.  You are about to put quite a few more rows into your ConfigArchive table.  This may cause some headaches, if you get, say 500k rows.

  • 0

    Hi aclarkvanmaur,

    rstoney00 is right. My Suggestion is that you want to check that the default value 3 is not changed.

    So if the command do not exist in your config then it is the default value. Otherwise you get a new line in your config like "ip ssh authentication-retries 2".

    So you are able to create a compliance check.

    Kind regards,

    Flo

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.