I think we have introduced in NCM 6.1 what you are looking for: the ability to define compliance rules that apply only to blocks of config (vs. entire config), defined by a begin and end string.
This new feature is available in both the WEB Integration WEB UI and the Win32 app.
See snapshots before, showing a DISA STIGs compliance rule leveraging this new capability.
Hope this helps
Capture.PNG 61.8 KB
Close but its not really section aware. It cannot report on what section is in violation of the config and it has no method to remediate the violating section.
I should have also included "Conditional/Nested RegEx Expressions" with this request but it makes for a pretty big RFE.
For example I would like to check every block begin "interface Fast*" and ends with "!" So far thats doable.
I want to search for interfaces that contain the following.
IF "description DSIT|description Trunk:.*"
THEN "ip verify unicast reverse-path"
The remediation script would need an expression for the section in violation and then recourse through each of the violating sections and fix them.
ip verify unicast reverse-path