Are you interested in having the rules run remediation scripts or are you just validating what content the config has in it against the rules criteria?
We have baselines that are easy to setup and apply against large groups of nodes and monitor drift/changes, but does not allow for remediation scripts.
We have a lot of great folks on here who can share their automation with NCM experience with you.
Both, we will need to audit all devices in our environment for certain standards then take steps either through NCM or sending commands to external tools such as Ansible. I am fairly new to the current version of Orion so my knowledge on all it offers function wise is limited.
If I were to tackle this in say Python I'd build a series of logical steps that have matching if statements that if matched take action. However, from what I have observed in NCM it's looking solely at the config file which is missing info such as the OS and OS Version that you would normally see in say a show run or from the Orion DB directly. What I see thus far is a simple logic and/or gate that is looking for if or if not contains "string" or RegEx in the config file then flag a violation.
You can then based on the violations take action with a remediation script using NCM which from my limited knowledge and experience is basically a "script" of commands the user would type into the device if they were doing it by hand. While this is fine for small adjustments having the ability to use for instance a Yang data model to structure standards and have that be pushed as a template would be more efficient for large scale pushes.
Using a Yang model we simply set the variables such as our NTP server, Syslog server and more than the automated process would apply that standard to each device being aware of the difference in the command structure and making accommodations for them. This could also be done by Orion flagging the failed devices and sending through the remediation script a list of failed devices to say Ansible who would then execute the changes using the Yang model. But I am unsure if Orion can support this type of logic and operation at this time, hence seeking help on the community from more experienced users.
I will say that ncm is not going to have the full range of capabilities that you would be able to leverage from something like hand crafted scripts and ansible playbooks. Like you mentioned, you primarily have to work with the existing saved configs so you can't just pick a series of if statements and run different cli depending on the output of some show commands and their outputs. The work around I've seen is to create additional config types for each of those show commands. The problem is that you aren't really working in real time, you run a stack of "config backups" that are actually the show commands you want, then after all of them are collected you can cook up some logic to piece them all together and determine which scripts you want to run or what policies need to be applied. Ultimately something like this tends to get pretty complex in ncm and if you are already geared up to do it in ansible then doing it in NCM will probably seem clunky by comparison.
With that said, I did have a client who had leveraged ncm to build his routers by pulling a bunch of ncm data out to powershell, did his logic all there to build the necessary configs, then just piped that into the ncm verbs to run whatever lines of config his powershell had assembled. He could have probably just bypassed ncm completely for the remediation stuff really but he liked to use the reporting there and he liked having ncm available for more basic things his junior techs needed to be able to do in the gui.
NCM is not supporting NetConf there’s a feature request please vote
I still think you can mange quite a lot by using all the features that are there..
I use compliance quite often and you can use that also for costume show | xzy
Use propetys to call NTP/DNS/TFTP
We use NCM as Some kind of CMDB and share all the backup jobs drive with Linux server
All that data is reachable with grep from the Linux station and your Ansible could reuse that share..