Goal
By following this "How-To", you'll be able to audit the configuration of any device on your network with immediate feedback on whether the device has passed or failed and if failed, which criteria it failed on.
Use Case (is this for you?)
Auditing device configurations for compliance with PCI, SOX, HIPAA or internal policies and best practices can be a long and tedious process prone to human error. By automating these checks, not only will network and security engineers save time, but they'll have more accurate results that are easily exported into a report for your records.
Reminder: This How-To focuses on security compliance, but it can be applied to any configuration audit! Need to check that all your routers are using the same NTP server, or that all your trunks contain the right VLANs? You can use this Qapp!
Getting Started
Before diving into your audit, you'll need some files:
- The audit template
- The Qapp itself
The Qapp and a sample template are attached to this article
The audit template is written in a YAML format to check for specific items in the config. If you're unsure about how to modify it for your needs, check
YAML Basics at the end of this article.
The audit template will need to be uploaded to your Netbrain platform. You can do so by clicking "Files" on the left-hand side of the Netbrain interface, selecting the desired folder and clicking "Upload Windows Files".
Tip: It's recommended to have a dedicated configuration template folder under the "Public" folder as shown above for optimal organization.
The Qapp will also need to be uploaded. Do that by going to the Qapp Center from the top-left hamburger menu, selecting "Shared Qapps in Tenant" and clicking "Import Qapp".
Tip: If you don't want other users to have access to this Qapp, import it under "My Qapps".
Using the Qapp
Now that the config template and Qapp have been uploaded, it's time to run some audits!
- Go into any map or a new map and open a fresh runbook.
- Add the Qapp to the runbook
- Select the devices you wish to audit using the dropdown on the top left:
- Set the "Data Source" to "Pull live data once"
- Select the config template as the "Golden Template File"
- Hit "Run"
Tip: Use Device Group maps to create custom maps of frequently-audited devices such as routers or firewalls across multiple sites and audit them all at once!
Results
Once the Qapp has finished running, you can find the results in two dedicated tabs at the bottom of the map:
The "Failed_Report" shows only the devices and criteria which failed to pass the audit, while the "Full_Report" shows everything that was checked and whether it passed or failed.
After reviewing the results, you can export them as a .csv for reporting, posterity and sharing purposes. When in the desired tab (either the "Failed" or "Full" report), click on the "export" button on the top right to download the file.
Tip: Remember to save the runbook for future use by other Netbrain users! If you have integrations with other systems, it could even be triggered to run based on certain criteria.
Wrapping up
Compliance auditing doesn't usually end with a simple report. There's verifications and remediation that need to happen too. Thankfully, Netbrain can help there as well!
Within a runbook you can add other commands to check why a certain device failed (ie check the aaa config on a specific router) and if you have the Change Management module, you can set up a change window and deployment plan to roll out corrections.
The customizability of both this Qapp and Netbrain itself allows for this process to be adapted into any workflow or network, and adopted by both operational and security teams.
The audit template file is written in the YAML format. Here's a sample:
Config_Audit_1:
snmp community public:
match:
- '^snmp-server community public.*'
exclude: True
description: 'Make sure we are not using public as community string'
no ip http:
match:
- '^no ip http server'
- '^no ip http secure-server'
description: 'Make sure neither http nor https is enabled'
login authentication vty telnet:
match:
- 'transport input ssh$'
start: '^line vty \d+.+'
end: '!'
description: 'Make sure telnet is not allowed into the device for management'
repeated: TrueThe file indicates which parts of the running config output to look for and what indicates a TRUE or FALSE result. Here's a general breakdown of what's going on:
- The first line of the paragraph is the name of the criteria being checked, it should be concise and descriptive. In this example we're using the config line itself that's being checked for maximum clarity.
- The "match" variable is required and should always be present under the criteria name, indented in once
- The items beginning with "-" are the variables being matched. Wildcards are accepted (as seen in the SNMP example)
- The "exclude" variable means that a match will indicate a FALSE result. In the SNMP example, it means that if the "public" community string is in the config of a device, it'll fail that criteria. The "exclude" variable cannot be used for a repeated criteria (see next bullet)
- The "repeated" variable indicates a criteria that will or can appear multiple times. In the telnet example, this is used to check every vty interface to make sure SSH is enabled on all of them. This variable requires both a "start" and "end" variable to be defined in the regex format (same as what's used in Netbrain parsers)
Tip: Regex can seem daunting but there's tons of helpful resources online if you're stuck! Netbrain recommends
regex101.com as a tool to test your regex expressions