cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

NCM Compliance Policy

Jump to solution

I'm writing several Policies that will check the running configuration of a CISCO router for certain key strings. Depending the policy it will alert me to if the string is present or not. The problem i'm running into however, is that some of the strings do not exist in the standard running config. For instance I want to search for the string Authentication retries: 3. This does not exist in the running config, the only way to see this string is by first typing show ip ssh and then the string is displayed below.

My question is this. Can you design a policy that will first run the show ip ssh command and then look for the Authentication string?

Labels (2)
0 Kudos
1 Solution
Level 10

Hi aclarkvanmaur,

rstoney00 is right. My Suggestion is that you want to check that the default value 3 is not changed.

So if the command do not exist in your config then it is the default value. Otherwise you get a new line in your config like "ip ssh authentication-retries 2".

So you are able to create a compliance check.

Kind regards,

Flo

View solution in original post

7 Replies
Level 10

Hi aclarkvanmaur,

rstoney00 is right. My Suggestion is that you want to check that the default value 3 is not changed.

So if the command do not exist in your config then it is the default value. Otherwise you get a new line in your config like "ip ssh authentication-retries 2".

So you are able to create a compliance check.

Kind regards,

Flo

View solution in original post


I don't think i'm making myself clear.

The configuration that Solarwinds is checking is correct. However, in the standard running, start-up configuration the actually string does not exist for authentication retires. In order to actually see this you have to do a "show ip ssh" command fist.

I wanting to know if you can have Solarwinds run the "sh ip ssh" command then look for the Authentication retries string.

ch_router#sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 60 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

0 Kudos

Compliance Policy itself will not do this.  It's method is to check the configuration files that you give it.  In this case, Cisco running configs.  Not to execute commands and tests responses. That is the purpose of other modules in SolarWinds.

   These configurations files (speaking for Cisco devices only) are downloaded when you run an NCM Download config action, which standard is "running"

So, how could you accomplish this?  A suggestion (it is not the only way)

   Create a new download config type.  Call it ipssh.

   Modify your device type files to include a new config type called ipssh, which instead of "sh run", will execute the "sh ip ssh" command.

   Create a new Config Download job, to pull this new config file. Target your Cisco devices in question.

   Create a Compliance report/policy that targets ONLY the ipssh config type, and search for your line there.

Drawbacks:

   1)Obviously, you have to configure all this.  Although it really shouldn't be THAT painful to do.

   2)Database storage.  You are about to put quite a few more rows into your ConfigArchive table.  This may cause some headaches, if you get, say 500k rows.

Level 10

you know that a default rule "Set Authentication Failure Rate ... " exist? You find it in "Manage Rules"


Yes, however, when checking against the IOS running config that does not show up unless you first do a show (sub) command first.

0 Kudos

The Compliance Check are "scanning" the saved config in your directory - so how you can not execute a command.

But for your example i could help you. Create a compliance rule which alert if the running contains the string "ip ssh authentication-retries" because otherwise your default values matches:

Unbenannt.PNG

here is the link to cisco.com: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfssh.html

kind regards,

flo

0 Kudos

BUMP

0 Kudos