Creating compliance definitions using a golden configuration

Use this procedure to create compliance definitions using a golden configuration.

About this task

Golden configuration definitions are based on modeled device configurations, which is similar to SmartModel definitions. However, for golden configuration definitions you select a golden device, and the definition's evaluations are then automatically generated based on the modeled configuration of the golden device. Modeled definitions are all based on XPaths. An XPath is a search mechanism used in XML, and models an XML document as a tree of nodes.

A Golden compliance definition created based on one device's configuration may be used against devices that are modeled using a different device schema, as long as those schemas share the nodes included in the compliance definition. This also means that the scope of a compliance definition using a Device Golden configuration is not limited to the devices with the same VTMOS as the device in the compliance definition.

Only evaluations originating from specially marked regex fields in the golden configuration will be presented in the compliance definition GUI.

Automatically generated evaluations presented in the GUI can be edited and deleted like any manually created evaluation.

You can add evaluations (just as with SmartModel definitions), which will not override automatically generated evaluations, but rather be executed in addition to the automatic evaluations.

Automatically generated evaluations have the following test criteria by default:

Test Condition: Present in config
Match Criteria: Match All
Evaluation result if context not found: Fail

Automatically generated evaluations have the same default variable details as seen in the GUI when creating an evaluation, except in the case where a Regex has been specified in the golden configuration. In such a case the XPath function value will be ‘matches’.

When an '@@@(valid value)P@' Regex has been specified for an argument in the golden configuration, the evaluation will be marked as overridden, and will therefore be handled as an overridden evaluation in the GUI.

Note: The Regex will appear as '@@@P@' in the SmartModel XML configuration.

Automatically generated evaluations will not have parameters by default. If you add or update an evaluation to contain parameters, note the following information:

Parameters defined in modeled definitions will automatically be passed to remedial actions, if configured to do so.
Parameters passed to remedial actions can be viewed in the Remedial queue under the 'parameters' column.
Parameters defined in remedial command sets need to have the same name as parameters defined in remedial command sets in Netcool Configuration Manager - Base.
Placing a parameter inside another parameter is not supported.

Tip: You can copy an existing definition and modify some of its components to create a new definition.

Procedure

Click Create > Compliance Definition.
The Create a Definition window is displayed.
Enter a Name to identify the compliance definition. The maximum number of characters for the name is 255.
This is a mandatory field.
Enter a brief Description that will be attached to the compliance definition to explain its function and use.
The maximum number of characters is 4000.

Note: For version control, a Revision number is automatically assigned and initially given a value of one. Each time the compliance definition is edited, the revision number increments. The revision changes only if the entity is active.

Use the following Select definition type information as a guide to create the required types of compliance definitions:

Option	Description
Create compliance definition using CLI configuration lines	Select this definition type if you want to define a compliance definition with a native definition that uses a stored configuration. Selecting this option causes the Enter Native Definition Details (CLI configuration lines) window to display.
Create compliance definition using Native Commands	Select this definition type if you want to define a compliance definition with native commands. Selecting this option causes the Enter Native Definition Details (Native Commands) window to display.
Create compliance definition using a Device Model	Select this definition type if you want to define a compliance definition with a modeled definition. Selecting this option causes the Enter Modeled Definition Details window to display.
Create compliance definition using a Script	Select this definition type if you want to define a compliance definition with a script. Selecting this option causes the Enter Script-Based Definition Details window to display.
Create compliance definition using a Golden Configuration	Select this definition type if you want to define a compliance definition using a device’s golden configuration as a template for automatically generating evaluations. Selecting this option causes the Select a golden device window to display.

Note: You can navigate using the Prev, Next, Finish, and Cancel buttons.

Select Create compliance definition using a Golden Configuration, and then click Next.
The Select a Golden Device window displays.
Choose a golden device either by selecting a realm, or by selecting a VTMOS combination, and then click Next.
The Modify Golden Config Evaluations window is displayed.

If the evaluations automatically generated from the golden configuration are sufficient, click Next. Otherwise, use the following information to modify them:

Option	Description
Modeled Definition	Direct XPath: Most commonly used in a simple definition, where only one logical entity is being searched for. If the entity is not unique, or there are more than one nodes, only the first occurrence of the entity being searched for will be tested. The schema should be chosen using the node navigation tree. Contextual XPath: Can be used to test all nodes of a certain type, for example to test all FastEthernet Interfaces where the context becomes FastEthernet. The context should be chosen using the node navigation tree in the left hand window pane. Once the context of the validation has been set, the nodes must be selected in the right hand pane that will be validated within this context.
XPath	Will be populated with the schema path chosen.
Add Evaluation	This button invokes the wizard for adding a modeled definition evaluation.
Evaluation List	Lists all XPaths alongside test conditions and match criteria. Contains the same Evaluation list columns as described in the Test window below.
Evaluation List Criteria	Use the following: Match All Match All evaluations added to the Compliance Definition. Match Any Match Any of the evaluations added to the Compliance Definition. Match None Match None of the evaluations added must be found in the Device Configuration. Match One Match only one of the evaluations added to the Definition. If more than one of the evaluations are matched, the match fails. Match Exactly Identically match all evaluations added to the definition; including the number of evaluations selected. Match Specific Number Matches a specific number of evaluations as defined by the user. For example, Match 2 out of the 6 evaluations listed. This choice activates an integer field called Specific Number.
Number	Activated when the Match Specific Number is chosen. An integer must be entered here.
Manual Override	Allows the XPath to be overridden through a process of manually altering the Context/Defined XPath.
Manual Override window elements	Click Manual Override to display the Manual Override window with the following fields: Context XPath This field is populated when a Context XPath has been specified. It is the initial part of the overall XPath and is used as a search criteria. It can result in multiple hits in the target configuration. Context Nodes XML child Nodes of the context XPath whose values will be output in the evaluation results when the context XPath gets a hit. Defined XPath This field is always populated. It can be a complete XPath, or just the last part of an XPath(if a Context XPath has been specified). If Context XPath has been specified, the defined XPath will be the last part of the XPath and will be applied to the child node(s) XML tree for each hit of the contextual XPath. If Context XPath has not been specified, the defined XPath will be the complete XPath and will applied to the complete configuration XML tree.
Update, Edit, Delete	Updates the screen, edits or deletes the current selection.
Test	The definition test button is enabled when editing or creating a definition, but not when opening a definition. It is only available for modeled, golden and native definitions, but not scripts. You use the definition test functionality to execute a definition against all open tabs, and view the results. You can view results in the evaluation list either in detail, or as a summary.
Definition Test window elements	When you click Test, the Definition Test window is displayed. It resembles the Regex Tool window. When you import definitions from a device, the type of definition you are creating determines what content is imported from the device: For modeled and golden configuration definitions Imports the xml configuration from the device. For native CLI definitions Imports the CLI configuration for the device. For native commands definitions Imports the show commands from the device into the text area in the tab. Warning: Importing a text file from a file with an xml extension may result in an error when you execute the test.
Tabs	You can add as many tabs as your memory allows. The definition is applied to each tab and the results are flagged on the tabs. Green flag Passed Red flag Failed Yellow flag Not assessed
Evaluation list	Results are displayed in the Evaluation list under a number of columns. ContextXpath This field is populated when a Context XPath has been specified. It is the initial part of the overall XPath and is used as a search criteria. It can result in multiple hits in the target configuration. DefinedXpath This field is always populated. It can be a complete XPath, or just the last part of an XPath (if a Context XPath has been specified). If Context XPath has been specified, the defined XPath will be the last part of the XPath and will be applied to the child node(s) XML tree for each hit of the contextual XPath. If Context XPath has not been specified, the defined XPath will be the complete XPath and will applied to the complete configuration XML tree Test Condition The Values as described in the test condition section further on. Match Criteria The criteria used to match the device configuration: Match All, Match Any, None, One, Exactly, Specific Number. Match Criteria Argument This is the same as Number. Only available on group parameters and extractions. Same as Match Specific Number. ContextOveride / DefinedOveride / Override Enabled If Overridden is ‘true’, then the ContextOveride and DefinedOveride columns contain the override values. Context Informational Nodes The context nodes that have been defined. Default Result The default result is the value defined in the Evaluation Result if Context not found option, that is, one of Fail, Pass, Not Assessed, and Not Applicable. You can choose the result that you wish to receive if the context is not found. The options again are Fail, Pass, Not Assessed, or Not Applicable. Note: If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable, yet the overall result will be Pass. Result Green text = Pass Red text = Fail Yellow text = Not Assessed/Not Applicable Blue text =Error Restriction: Script parameters and extractions are not supported. If any are found in the evaluation they will not be assessed during the test, and the overall definition result will be not assessed. Note: You can toggle between Details and Summary mode to select the level of detail displayed in the test results. When in Summary mode, you can click on each evaluation to display detailed results.
Clear all, Test, Close	Clears the results from the Evaluation List and tabs. Click Test to run the test. Close closes the Definition Test window. Note: The test tabs are only available when the window is open. The File, Edit, Mode, and Tabs options are also available from the menu bar.

Note: You can navigate using the Rev, Next, Finish, and Cancel buttons.

If you chose to click the Add Evaluation button, the Add Modeled Definition Evaluation window displays. Here you can define the command parameters using the following descriptions as a guide.

Option	Description
Node	The node chosen for the modeled definition.
Node description	The description of the logical entity and name of the node selected are automatically populated here. This information is retrieved from the device schema based on the XPATH defined in the previous step and cannot be changed.
XPath Function	The following syntax is associated with an XPath Function: = Equal to != Not equal to > Greater than >= Greater than or equal to < Less than <= Less than or equal to. Matches Allows Regex to be entered. Contains Indicates that the specified argument is contained in the string. Starts-with The string starts with the specified argument. Ends-with The string ends with the specified argument.
Argument	The value you want to search on specifically. This can be left empty to find all.
Show CLI Text Boxes	When selected this will show un-modeled commands. Normally the node will be ARG.999.
Parameters	This is an optional field. This field provides a drop down list for the type of parameter you want. There is also an Insert Parameter button used to insert the parameter. Note: Placing a parameter inside another parameter is not supported. Note: When an argument in the Argument List is selected, the Argument Details in the lower section of the screen is populated. If changes are required to the Argument Details, they can be made at this point. Select Update to save amendments to the argument.

Click Next to continue to the Enter test condition window. The test conditions are used to decide whether you want to test for the presence or absence of the CLI, or in the case of some CISCO commands, to check for the presence of the no form of the command (for example, no ip http server).

Use the following descriptions as a guide to the fields displayed in the Enter test condition window.

Option	Description
Test Condition	Specifies one of the following test conditions that you can select from the dropdown list:
Present in Config	Searches to locate the test condition in the configuration.
Not Present in Config	Search to ensure that the test condition does not appear in the configuration.
Present and Disabled in Config	Search to locate the test condition in the configuration. However, contrary to the Present in Config condition, this search looks for conditions in the configuration that are present but disabled. For example, in most CISCO devices entities are prefixed by 'no' if they are disabled but present, as in 'no ip proxy-arp' or 'no ip bootp' server.
Match Criteria	The following table describes the Match Criteria syntax: Match All Match All hits in the target device configuration. For example, if a contextual XPath gets 3 hits in a target device configuration, each hit must satisfy the defined XPath, or the match will fail. Match Any Match any of the hits in the target device configuration. Match None Match none of the hits in the target device configuration. Match One Match any of the hits in the target device configuration. If more than one are matched, the match fails. Match Exactly Identically match all hits in the target device configuration. Match Specific Number Matches a specific number of hits in the target device configuration as defined by the user. For example, Match 2 out of the 6 hits listed. This choice activates an integer field called Specific Number.
Specific Number	This is activated when the Match Specific Number is chosen. An integer must be entered here.
Evaluation result if context not found	Specifies the result to receive if the context is not found. The options are: Fail, Pass, Not Assessed, and Not Applicable. If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example, you may have two Not Applicable result and one Pass, or all Not Applicable, and yet the overall result will be Pass.

Click Finish to complete the Modeled Definition Evaluation, and display the Enter Modeled Definition Details window.
Click Next to continue to the Choose a Save Location window.
Navigate through the tree structure, and choose the location to which you want to save the Compliance Definition. Otherwise, it is possible to create a new folder from here if required.
Click Finish to complete the creation of the Compliance Definition.

What to do next

You can create another Compliance Definition using a device model, by following the instructions in this procedure.