Table of Contents
NSO Compliance Report provides the capability to verify the compliance of a configuration across a group of devices and receive a report of non-compliant devices and any discrepancies.
What is Complaince Check / Report
The compliance check compares the configuration of network devices to a baseline configuration to ensure it is present on all devices. It can be used in particular in auditing to ensure compliance with security standards,
To verify configuration compliance and create a compliance report, we prepare a device template that contains a configuration or a configuration template for different device types.
But instead of applying the device template to devices, which have learned in the previous sections, we ask cisco NSO to give us a compliance report.
The compliance report output not only reports any non-compliant devices, but also shows any configuration discrepancies.
NSO Compliance Report Example
Here is a sample device template to configure name server, logging and NTP server in IOS, NX-OS and ASA devices.
devices template COMPLIANCE-CHECK ned-id cisco-ios-cli-6.88 config ip name-server name-server-list 1.1.1.1 ip name-server name-server-list 2.2.2.2 service timestamps log datetime localtime show-timezone year logging host ipv4 3.3.3.3 ntp server peer-list 4.4.4.4 ned-id cisco-nx-cli-5.23 config ip name-server servers 1.1.1.1 ip name-server servers 2.2.2.2 logging timestamp milliseconds logging server 3.3.3.3 level 5 ntp server 4.4.4.4 ned-id cisco-asa-cli-6.16 config dns domain-lookup mgmt dns server-group DefaultDNS name-server 1.1.1.1 name-server 2.2.2.2 logging timestamp logging host mgmt 3.3.3.3 ntp server 4.4.4.4
Obviously, the configuration for different device types is different.
Let’s commit the configuration changes.
admin@ncs(config)# show configuration devices template COMPLIANCE-CHECK ned-id cisco-asa-cli-6.16 config logging timestamp logging host mgmt 3.3.3.3 ! ntp server 4.4.4.4 ! dns domain-lookup mgmt ! dns server-group DefaultDNS name-server [ 1.1.1.1 2.2.2.2 ] ! ! ! ned-id cisco-nx-cli-5.23 config ip name-server servers [ 1.1.1.1 2.2.2.2 ] ntp server 4.4.4.4 ! logging server 3.3.3.3 level 5 ! logging timestamp milliseconds ! ! ned-id cisco-ios-cli-6.88 config service timestamps log datetime localtime service timestamps log datetime show-timezone service timestamps log datetime year ip name-server name-server-list 1.1.1.1 ! ip name-server name-server-list 2.2.2.2 ! logging host ipv4 3.3.3.3 ! ntp server peer-list 4.4.4.4 ! ! ! !
In the next step we will configure a name for the interesting report.
For each report, we need to configure the device template name and the device groups whose configuration needs to be compared.
compliance reports report REPORT compare-template COMPLIANCE-CHECK ALL
admin@ncs(config)# show configuration compliance reports report REPORT compare-template COMPLIANCE-CHECK ALL ! ! admin@ncs(config)# commit check Validation complete admin@ncs(config)# commit Commit complete. admin@ncs(config)#
In our example, the name “REPORT” is chosen for the compliance report. “COMPLIANCE-CHECK” is the name of the device template and “ALL” is the name of the group which includes all devices.
Although it is asked to compare the configuration to all devices, but only those devices whose configuration is configured in the device template, in other words, IOS, NX-OS and ASA devices, are compared. all other devices will be ignored in compliance report.
And in the final step, we ask Cisco NSO to generate the report.
By default, the report output is in XML format, but it is also possible to ask NSO to provide the report in HTML and TEXT format.
admin@ncs# compliance reports report REPORT run id 1 compliance-status no-violation info Checking 7 devices and no services location http://localhost:8080/compliance-reports/report_1_admin_0_2023-7-7T15:52:29:0.xml
admin@ncs# compliance reports report REPORT run outformat html id 3 compliance-status violations info Checking 7 devices and no services location http://localhost:8080/compliance-reports/report_3_admin_1_2023-7-7T15:56:16:0.html
The link to access the compliance report will be shown in the output when you run the compliance report.
The reports are stored in the NSO instance folder in the “state” folder and then in the “compliance-reports” folder.
majid@majid-ubuntu:~/devnet/cisco_nso$ ls -al ~/nso-instance/state/compliance-reports/ total 20 drwxrwxr-x 2 majid majid 4096 Jul 7 15:56 . drwxrwxr-x 6 majid majid 4096 Jul 7 15:55 .. -rw-rw-r-- 1 majid majid 945 Jul 7 15:52 report_1_admin_0_2023-7-7T15:52:29:0.xml -rw-rw-r-- 1 majid majid 831 Jul 7 15:52 report_2_admin_0_2023-7-7T15:52:41:0.html -rw-rw-r-- 1 majid majid 945 Jul 7 15:56 report_3_admin_1_2023-7-7T15:56:16:0.html majid@majid-ubuntu:~/devnet/cisco_nso$
The report output shows not only non-compliant devices, but also any configuration discrepancies. In other words, which configuration needs to be added to which devices to be compliant.
In our example, 7 devices are checked and router R1 is non-compliant and shows exactly what configuration needs to be added in router R1 to be complaint.
http://192.168.2.101:8080/compliance-reports/report_3_admin_1_2023-7-7T15:56:16:0.html Publication date : 2023-7-7 15:56:16 Produced by user : admin Summary Compliance result titled "" defined by report "REPORT" Resulting in violations Checking 7 devices and no services Produced 2023-7-7 15:56:16 From : Oldest available information To : 2023-7-7 15:56:16 Template discrepancies COMPLIANCE-CHECK Discrepancies in device R1 Details Template discrepancies details COMPLIANCE-CHECK Device R1 config { logging { host { + ipv4 3.3.3.3 { + } } } }
get compliance check and report code example from github community source.