PI 3.1.5 Compliance Policy "Evaluate Expression" Help

joshelton · ‎04-20-2017

Currently on Prime Infrastructure 3.1.5

I want to verify that none of the line configs (Line con, line vty) have an exec-timeout greater than 10. In most devices exec-timeout 10 is the default and won't show in the line config. So my rule exits if exec-timeout is not present. I'm having problems with my rule showing everything as compliant. Here is what I have:

Part 1 looks for blocks that start with line, so they can be later called for the fix-cli

Configuration

Parse as Blocks

Block Start = line

Matches the expression = line (.*)

Part 2 gets the value that is showin for exec-timout to send to the next rule and do an evaluate

Previously Matched Blocks

Matches the expression = exec-timeout (.*)

Part 3

Previously Matched Blocks

Evaluate Expression = <2.1> > 10

-----

Everytime I run the rule I get a return as compliant.

Brett · ‎04-24-2017

Hello,

There are only a few things that need to get changed.

Part 1:

Block Start = line .*

Matches the expression = line (.*)

Part 2:

Previously Matched Blocks

Matches the expression = exec-timeout (.*) (.*)

***** We have to add the extra (.*) to store the second value. The exec-timeout command if configured has two values*****

exec-timeout 15 0

So we have to account for there being another value after what we want to capture. If we didn't do this the value that would be stored would be:

15 0 instead of just 15

Part 3:

Evaluate Expression = <2.1> > 10

In Part one if it matches continue, if it doesn't match select "Does Not Raise Violation"

In Part two if it matches continue, if it doesn't match select "Raise a Violation and Continue"

In Part three if it matches continue, if it doesn't match select "Raise a Violation and Continue"

Hope this helps

Brett