I am trying to build a compliance rule to make sure that any router with BGP configured has a neighbor password set. I thought I had this nailed with the following:
RegEx Config Block Start: router bgp ?\d+
RegEx Config Block End: ^\w
Must Contain RegEx: neighbor .*. password
This works great, as long as you have only one neighbor. But in a case where there are multiple neighbors, how can I check that each one has a password set? For example:
router bgp 65535
neighbor 10.10.1.1 remote-as 1234
neighbor 10.10.1.1 password 7 29WOSKXNDHFUR849384URJFGLSPQAZL
neighbor 10.10.10.1 remote-as 65535
neighbor 10.10.10.1 update-source Loopback0
neighbor 10.10.10.2 remote-as 65535
neighbor 10.10.10.2 update-source Loopback0
neighbor 10.10.10.3 remote-as 65535
neighbor 10.10.10.3 update-source Loopback0
This example shows compliant with the check I described above but clearly it isn't. Any ideas?
As the password is associated with an AS neighbour entry, could you adjust the start block accordingly and focus on the neighbor line. This will require some additional Regex to exclude non-relevant entries such as those above to Loopback, but this may work for you.
I've tried various things but can't seem to get the rule to recognize each neighbor statement group programmatically and then verify if there is a password statement. The neighbor IP will vary with each router so I can't look for a specific IP. If using the neighbor statement as a block start, I do not know how to make a block-end that does encompass the same IP as the block start to really define the unique block to then search for,
The rule needs to be that if there is a BGP neighbor, there must be a password set for that neighbor.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.