5 Replies Latest reply on Dec 7, 2017 12:38 PM by rschroeder

    NCM- Policies and Procedure Violations

    saintsjeff

      Sorry for be newbie to NCM.  I am showing violations in Compliance Policy Report that are "Policy and Procedure" (PCI Policy P30 - 07.1.2 ) or "Documentation" (PCI P30 - 07.1.4).  How are those violations remove through remediation?

       

       

        • Re: NCM- Policies and Procedure Violations
          rschroeder

          NCM cannot remediate this particular policy violation using a Remediation Script.

           

          The information presented in your screen shot tells you what must be done.  Someone actually has to go to the team (or person) who provides a specific kind of access to certain user ID's, and perform the rest of the steps that are hidden by the right side of the window.  You should refer to Page 30 of your corporate / I.T. Policies & Procedures Manual and review Area-Sec120b.

           

          You may have to work with your manager, or your security team, or H.R. to determine who has to be contacted, and what the actual steps are to be taken.

           

          If this were NOT a corporate manual inter-person configuration correction step, you might be able to create a Remediation script that NCM could perform automatically every time it sees this specific violation.

           

          For example, suppose you wanted to ensure that all of your routers & switches had http and https disabled.  You could write out the command line steps to shutdown http and https access to the device, then paste those CLI steps into the Remediation Script box.  They'd be applied to the switches & routers anytime NCM saw http or https was enabled.

           

          This can be done for pretty much anything that you'd do vial CLI--deny SSH v1 and require SSH v2, configure snmp strings and syslog servers and the list goes on.

           

          Just remember that automated Remediation of a Policy Violation is powerful.  It'll do exactly what you tell it to do, to any devices you tell it to work on, every time it runs.  This can be a huge time saver, but also has the potential for terrible abuse. Ensure you know what you're doing with it before you test anything.  Ensure you have received approval from your Change Management Board and your boss, and have receive the blessing for the scripts and Remediation and target devices from Security and your Peer Review team--BEFORE ENABLING A REMEDIATION SCRIPT.

            • Re: NCM- Policies and Procedure Violations
              saintsjeff

              thank you for you response.I understand all of that. I am actually going though my PCI audit this week. I have my documentation for the violation. It is the documentation or policy and procedure violation I am trying to clear (the red dot).  They show up on dashboard as violation. I would like to clear them. And yes I am a little OCD about this type of thing.

               

                • Re: NCM- Policies and Procedure Violations
                  rschroeder

                  The red dots will appear until one of the following occurs:

                  • The condition causing the Compliance Report violation has been removed, AND a new configuration file reflecting that change has been downloaded, AND NCM's Compliance Report concerning that issue has been "updated" so that it reviews the corrected devices' configuration files and discovers the violating config lines have been corrected.  This assumes that incorrect configuration of the devices triggered the Compliance Violation Alert, and that the corrected condition is reflected in the config file, and that the config file has been downloaded via NCM.  Once NCM receives the corrected config file AND you update that specific Compliance Report, then the red dots triggered by the Report go away.
                  • The Compliance Rule, or the Compliance Policy, or the Compliance Report (any one, or all) are changed so they no longer look for the problem condition, even though the problem is not remediated.  This is not a good or compliant method of eliminating the red dots.  It's a poor practice, possibly against corporate policy, and a great audit would catch it and cause the person responsible to be reprimanded or worse.  Never sweep dirt under the carpet like this; just pick up the carpet & shake it outside, while also doing a proper job of cleaning the floor and picking all the dirt and litter.  Then you'll always have the respect of others, and you'll be the kind of person anyone would hope to work with.
                    • Re: NCM- Policies and Procedure Violations
                      saintsjeff

                      On "Manual Verification" rule, is there a way to clear the violation after the rule is verified?  There is no changes to be made on config. it is a manual verification that a policy or procedure exists.  Once verified, I would like to be able to clear the violation.

                        • Re: NCM- Policies and Procedure Violations
                          rschroeder

                          I'm unaware of such a method.  I'd think that providing it would allow folks to try to fool auditors by clearing the alerts while not removing their cause.

                           

                          I recommend you open a support case with Solarwinds and learn what they recommend.

                           

                          If you do, please post their suggestions and procedures here, so we all can learn from your experience.

                           

                          Swift packets!

                           

                          Rick Schroeder