Previous Topic

Next Topic

Book Contents

Book Index

Golden/Baseline Template Validation

This is a Privilege based feature: The user will be able to access, view, add, edit, delete, execute & export, only if privileges have been given by the administrator. This will be defined under roles and privileges.

This menu is accessible only if the below privilege has been checked.

Though most of the compliance checks can be performed automatically through NCCM, there are a few compliance checks that must be done manually. For example checking whether the access control on all entrance/exit of the organization is functional has to be done manually.

Follow the below steps to add Baseline Template

Click Validate to validate template.

Procedure to follow for writing Golden Template:

NCCM fetches “Device Configuration” of filtered Devices (based on filter), applies Ignore Patterns to filter the lines (remove unwanted lines) from Configuration and matches the Configuration Template* Patterns one by one. This is to ensure that the Configuration is adhered to the Golden Template or Policy.

Golden Template results include Missing configurations and illegal extra configurations for each Device (one by one). NCCM allows the user to ignore single configuration or Block of configuration before matching the template. This is based on input & Ignore patterns.

Procedure/Rules

example is to match the configuration exec-timeout 0 0 , privilege level 25 and logging synchronous should exists inside the line con 0 Block (but not to match in MAIN or Other Sub Blocks)

If the configuration file contains the following configurations blocks (line con 0 and lone aux 0)

line con 0

exec-timeout 0 0

privilege level 25

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

Then the Match Pattern should be

Syntax: BlockStartPattern:line con 0

exec-timeout 0 0

privilege level 25

BlockEndPattern:logging synchronous[$$$]EndPattern:Keep

Explanation:

BlockStartPattern, BlockEndPattern are key words to match the Start and End of Block

line con 0 is the start of pattern in configuration to match in Block

exec-timeout 0 0 is pattern to match inside Block

privilege level 25 is pattern to match inside Block

logging synchronous is end of pattern in configuration to match in Block

[$$$] is separator for BlockEndPattern and EndPattern

‘Keep’ is used to consider the last line in the same block. If you want to ignore apply ‘Ignore’.