This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Need Help!! How to create compliance rules? cisco switch.

mitch.cox over 9 years ago

So.. I am trying to create a new rule to make sure port security is enabled on all ports on all switches.

I can have it look for the string, "switchport port-security" but if it finds it 1 time it states the switch is compliant. How to I have it check each interface to make sure it is enabled on ALL switch ports.

Also, another issue.

I am trying to create a rule to make sure only 1 user is configured on the switch. I have it look for that user, but how to I have it search to see if more than one username is configured.

I will not know what the username will be, so I need to make sure if more than one username is configured it flags it as a finding.

If I have it look for "username" and "username" it finds two, but it finds the same one on the same line as the first. so I need to have it find one, then continue through the rest of the config, not find the same string again.

Hope that makes sense.

This is confusing, frustrating and super cool at the same time.

Thanks in advance.

Mitch

0 CourtesyIT over 9 years ago

Ok, so you are looking for several different rules violations here.
1. All physical ports (Fastethernet, Ethernet, GigabitEthernet, and Ten GigabitEthernet ports configured with the following: Violation if port is not configured with port-security
     -- do you need the ports to allow a single mac address
     -- what about trunk ports
     -- should unused port be shutdown
interface (type and number)
switchport port-security
2. You want to identify all local usernames configured on a device. Violation if more than one is found.
username alpha
username beta
username .....
Cancel
Vote Up 0 Vote Down

Cancel
0 mitch.cox over 9 years ago in reply to CourtesyIT

Yes, all that stuff. LOL. I have it configured to look for 2 mac's because IP phones. But again, it only looks at the entire config to see if 'switchport port-security mac-address sticky" exists once. I can't figure out how to make it check each gigeth port for those strings.
Also, I don't know how to have it check to see if a port is in use. to shut it down.
Per stig, we need one user for emergency use.
So.. I can have it search for
must contain "username emergency"
and not contain "username"
But it finds the "username" on the line for username emergency, so its not finding one then looking for more, it finds the same username.
I appreciate all your help.
Cancel
Vote Up 0 Vote Down

Cancel
0 mitch.cox over 9 years ago in reply to mitch.cox

So, I downloaded one of your checks for port security. That is the way I have mine set up, however it only looks for it in the entire config. Not each port. So if it finds it 1 time it shows up as compliant. When 30 out of 38 ports could be non-compliant.
Cancel
Vote Up 0 Vote Down

Cancel
0 CourtesyIT over 9 years ago

With some use of Regular expression coding the issue could be resolved.
Also, you can use the "Advanced Config Search" and select parts of the config to start and finish from.
Cancel
Vote Up 0 Vote Down

Cancel
0 mitch.cox over 9 years ago in reply to CourtesyIT

I thought about the start and finish option but it seems like I would have to create individual rules for each port.
Look for "switchport port-security"
Start at Interface GigabitEthernet1/0/1
end at Interface GigabitEthernet1/0/2
then create a new rule for port 2, and another for port 3, etc..
Cancel
Vote Up 0 Vote Down

Cancel