|
|
This appendix describes how to define configuration policies.
Violations of the policies you define are reported in the Baseline Summary report's Policy Check Violations subsidiary report.
To view this reports, open the Baseline Summary report and double-click on the Policy Check Violations row of the Results grid (or select it and click the Show Report button).
This template file is read by the software at the time the baseline is opened, not when the report is generated. If you have edited the template file, you should reopen the baseline before viewing the report.
The script must start with a begin statement and end with an end statement.
Conditions are introduced by an if statement and enclosed in square brackets ("[" and "]").
When the condition is met, an action which you specify with the action statement will be taken. The only action currently supported is print_warning, which causes a warning message to be displayed in the Annotation pane of the Policy Check Violations report.
Contents of this message is defined by enclosing text in quotes immediately after the action print_warning statement, as follows:
action print_warning "This is the message that will be displayed."
You must explicitly define an action print_warning statement for every policy check, or else the entire script will fail. If you don't want an error message displayed, you can omit the message string.
Enclose keywords and messages in quotes. To include special characters such as quotation marks in your messages, precede them with a backslash (\"). Special characters are defined in the section "Regular Expressions," elsewhere in this appendix.
The pound sign (#) at the beginning of a line indicates a comment that will not be parsed by the software.
Use the major_cmd and sub_cmd statements to locate subcommands in configuration files. Each instance of the specified condition will be listed in the Policy Check Violations report. The File column will identify the configuration file, and the Line column will show the line number of the major command under which the condition was found.
You cannot use the major_cmd statement or the sub_cmd statement alone. Each instance of major_cmd in your template file must be followed by a sub_cmd statement, and each sub_cmd condition must be preceded by a major_cmd (except that you can string multiple sub_cmd statements together in a single if statement, using boolean operators).
Use the command statement to search for the existence (or ! command to verify the non-existence) of a supported command. If an instance of the command is (or is not) found, the Policy Check Violations report will list the configuration file in the File column. Line numbers are not reported when you use the command statement.
Use the operators && and || (two uppercase backslashes) for boolean logic (and and or, respectively).
Use parentheses to define precedence: A && (B || C) means A and either B or C, while A && B || C means both A and B, or else C.
Entries in the default.router_template file are not case sensitive, and line breaks and extra spaces (around brackets, for example) are optional.
Both of the following scripts will work:
begin
if [ major_cmd "interface" ]
if [ sub_cmd "shutdown" ]
{
action print_warning
"Command \"shutdown\" used."
}
end
or
begin
if[major_cmd "interface"]if[sub_cmd "shutdown"]action print_warning "Command \"shutdown\" used."
end
Note, however, that the begin statement must be on a line by itself.
Curly braces ("{" and "}") can be used to organize your script layout in C programming style, if you find it easier to read. The braces will be ignored when the file is parsed by the software.
However, you must use the curly braces to create complex statement blocks, such as multiple if sub_cmd statements for a single if major_cmd statement.
begin
if [ major_cmd "interface" ]
{
if [ ! sub_cmd "shutdown" ]
action print_warning
if [ sub_cmd "appletalk address" ]
action print_warning
"Appletalk address specified"
}
end
Use an exclamation mark to specify action when a command is not encountered in the router configuration files:
begin
if [ ! command "version" ]
action print_warning
"Command \"version\" is not used."
end
You should proof your script carefully. No error messages will be generated for mistakes. If there is an error in any part of the script (such as a single misspelled IOS command or one missing quote mark or bracket anywhere in the default.router_template file, for example), none of the script will be executed and the Baseline Summary report will say simply There are no policy check violations.
To see which command keywords are currently supported by the Policy Check Violation report, open the ASCII text file configkeyword in the Netsys\resources directory.
Be aware that this is a Cisco Netsys Baseliner system file. You should not edit this file in any way.
If you want to create your own keywords (to add Cisco IOS commands not currently supported by the Policy Check Violation report, for example) place them in an ASCII text file named ecsp_configkeyword and put this file in the directory defined by your computer's HOME environment variable.
If this file exists when the report is generated, your keywords will be added to the list that is obtained from the system file.
If you are not sure what directory is your HOME directory, or you want to locate your custom keywords somewhere else, you can define a new environment variable called ECSP_CONFIGKEYWORD and set it to point to the custom file (can be any name, but it must be an ASCII text file). Environment variables can be created in the Windows Control Panel (double click on the System icon and choose the Environment tab) or from a DOS command line:
SET ECSP_CONFIGKEYWORD = c:\mypath\myfile
Variables created from the command line are valid only during the current Windows session; they will be lost when you log off. To make them persist, you will need to add the SET command to a batch file that is executed at the beginning of each session (such as an autoexec.bat file, or a batch file run from your Windows Startup folder).
You can construct regular expressions when specifying parameter values, as follows:
The following rules are used to build a multi-character regular expression:
As with access lists, the order of the commands listed in the template file is important.
Following is a sample template file that performs various checks on a baseline:
begin
if [ (command "ip address *.*.*.*") && (command "interface") ]
action print_warning
if [ ! command "no mop enabled" ] {
action print_warning "The Maintenance Operation Protocol is not
enabled."
}
#
# This checks if IGRP/EIGRP routes are distributed into RIP but no default
# metrics are specified.
# Note that the regular expression [ei]grp is used.
#
if [ major_cmd "router rip" ] {
if [ sub_cmd "redistribute [ei]grp" && ! sub_cmd "default-metric" ]
action print_warning
}
#
# Same as above but distributing RIP routes into IGRP/EIGRP.
#
if [ major_cmd "router [ei]grp" ] {
if [ sub_cmd "redistribute rip" && ! sub_cmd "default-metric" ]
action print_warning
}
#
# Search for the interfaces that are NOT shutdown, have an IP
# address,
# but do NOT have a description line.
#
if [ major_cmd "interface" ] {
if [ ! sub_cmd "shutdown" && sub_cmd "ip address" && ! sub_cmd
"description" ]
action print_warning
#
# Search for the interfaces that have an "AppleTalk address" (phase
# 1 address style) OR "AppleTalk cable-range" (phase 2 address style)
# but do NOT have a zone name defined.
#
if [ (sub_cmd "appletalk address" || sub_cmd "appletalk cable-range")
&& ! sub_cmd "appletalk zone" ]
action print_warning
}
if [ (command "interface ethernet.*" && ! command "no mop enabled") ] {
action print_warning
}
end
A sample file called default_pc in the Netsys\resources directory also demonstrates how to write customized policy checks. You can copy this file, or portions of it, into your own default.router_template file, or you can use the file as a model to craft your own policy checks.
Posted: Tue Apr 27 11:57:49 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.