Compliance in Configuration Management
Automate the evaluation of network device configurations against industry standards and internal policies using the Compliance feature. It helps ensure regulatory compliance, reduce security risks, and support operational best practices.
Compliance is based on three components:
-
Rules – Defined using Rego, a high-level, declarative policy language used by the Open Policy Agent (OPA). Rules specify whether a device’s configuration file should or should not contain specific patterns or blocks.
-
Policies – Collections of related rules designed for a specific purpose, such as targeting a particular vendor or use case. Each policy is assigned to one or more network devices.
-
Assessments – Reports that summarize the evaluation results of applied policies and rules across devices.
SolarWinds Observability SaaS includes a set of built-in assessments, policies, and rules.
To access compliance information, go to Network > Compliance in SolarWinds Observability SaaS.
Create rules
Rules describe what should or should not be found in configuration files. If a rule is not met, the violation appears on the Assessment details page with the specified severity level.
-
In SolarWinds Observability SaaS, click Network > Compliance.
-
Click the Rules tab to access a list of already created rules.
Built-in rules cannot be modified.
-
Click Create rule to open the wizard.
-
Provide the rule details:
-
Enter a name for the rule.
-
Select a category to save the new rule in.
To create a new category, type a name into the Rule Category combo box.
-
Select the severity level for the rule - Info, Warning, or Critical.
-
Optionally, you can enter a description to explain the rule's purpose.
-
-
Adjust the Rego definition of the rule. See Use Rego for defining compliance rules.
-
Review the summary and submit the rule. The new rule appears in the rules list.
Use Rego for defining compliance rules
Rule definitions are based on the Open Policy Agent (OPA) and its policy language, Rego. See OPA Introduction and Policy Language for details.
Rule structure
Rules evaluate the content of a configuration file. Rules must not access external resources, such as HTTP requests.
Each rule must follow a specific structure and include required elements:
-
Package declaration: Each rule must begin with a
package __RULE__
declaration. -
Outputs:
-
passing
– Indicates whether the rule passed. -
details.findings –
Provides context for the rule’s result, such as matched patterns and line numbers. -
details.blocks
– Use standard functions as defined by OPA. See Rule functions. -
error
(optional) – You can define an error state for specific results produced by the evaluation condition. See Policy Language for details.
-
Example rule
package __RULE__ import rego.v1 default passing := false passing if { count(blocks) > 0 every i, _ in blocks { passings.blocks[i] } } details.findings contains findings.patterns[_].blocks[i] if not passings.blocks[i] details.blocks[i] := {"start": blocks[i].start, "end": blocks[i].end} if not passings.blocks[i] blocks := config.split(input.config, `ip vrf CUST1`, `!`) passings.patterns[0].blocks[i] if findings.patterns[0].blocks[i].line >= 0 findings.patterns[0].blocks[i] := {"type": "contains", "pattern": pattern, "block": i, "line": line} if { pattern := `rd 13:13` line := config.find_line(blocks[i].content, pattern) } passings.patterns[1].blocks[i] if findings.patterns[1].blocks[i].line >= 0 findings.patterns[1].blocks[i] := {"type": "contains", "pattern": pattern, "block": i, "line": line} if { pattern := `route-target export 13:13` line := config.find_line(blocks[i].content, pattern) } passings.patterns[2].blocks[i] if findings.patterns[2].blocks[i].line >= 0 findings.patterns[2].blocks[i] := {"type": "contains", "pattern": pattern, "block": i, "line": line} if { pattern := `route-target import 13:13` line := config.find_line(blocks[i].content, pattern) } passings.blocks[i] if { passings.patterns[0].blocks[i] passings.patterns[1].blocks[i] passings.patterns[2].blocks[i] } # passing if patterns[0] AND patterns[1] AND patterns[2]
Example rule output
Blocks or findings identified during the evaluation process are highlighted in the Rule Evaluation Details panel.
"details": { "blocks": [ { "end": 32, "start": 30 }, { "end": 34, "start": 32 }, ], "findings": [ { "block": 0, "line": 31, "pattern": "route-target export 13:13" }, { "block": 1, "line": 33, "pattern": "route-target export 13:13" }, { "line": 40, // this pattern was found outside of block "pattern": "rd 13:13" }, ] }
Rule functions
You can use all standard functions as defined in the OPA. See Built-in Functions in the OPA documentation.
Functions that attempt to use external inputs, such as HTML requests, are not permitted.
Additional built-in functions
Function | Description |
---|---|
config.split(content, start_pattern, end_pattern)
|
Splits configuration into blocks based on start and end patterns. The start pattern is inclusive; the end pattern is exclusive. |
config.split_regex(content, start_pattern, end_pattern)
|
Same as config.split , but uses regular expressions for pattern matching. |
config.find_line(content, pattern)
|
Finds the first line in the content that contains the specified pattern. |
config.find_line_regex(content, pattern)
|
Finds the first line in the content that matches the specified regular expression. |
Create policies
Built-in policies cannot be modified. You can only change the network devices they are assigned to.
-
In SolarWinds Observability SaaS, click Network > Compliance.
-
Click the Policies tab to view existing policies.
-
Click Create policy to open the wizard.
-
Provide the policy details:
-
Enter a name.
-
Select a category where the new policy should be saved.
To create a new category, type a name into the Policy Category combo box.
-
Optionally, you can select the Configuration Type you want to apply the policy on - Any, Running, or Startup.
-
Optionally, you can enter a description to remember why the policy was created.
-
-
Select rules to be included in the policy.
-
Select network devices you want to assign the policy to.
Only network devices with enabled configuration management are listed.
-
All network devices – Apply the policy to all network devices.
-
Select network devices – Select specific network devices.
-
Dynamic selection – Use a query to specify network devices for the policy.
For example, to apply the policy on all Cisco network devices, type
vendor:Cisco
into the box and click Search.
-
-
Review the summary and submit the new policy. The policy will appear in the list.
Create assessments
Built-in assessments cannot be modified or deleted.
-
In SolarWinds Observability SaaS, click Network > Compliance.
-
The Assessments tab lists all already created assessments.
-
Click Create Assessment to open the wizard.
-
Provide the assessment details:
-
Enter a name.
-
Select a category to save the assessment in.
To create a new category, type a name into the Assessment Category combo box.
-
Optionally, you can enter a description to explain the assessment's purpose.
-
-
Select policies to be included in the assessment.
-
Review the summary and submit the new assessment. The assessment will appear in the list.
Review assessment results
-
In SolarWinds Observability SaaS, click Network > Compliance. The Assessments tab lists all already created assessments.
-
Select an assessment name to view its results.
The screen will display results of all evaluated rules assigned to network devices. You can group the results by network devices (default) or by policies.
Rule evaluation statuses
-
Passing – The rule was evaluated and no violations were found.
-
Violating – A rule definition was violated. The severity (Critical, Warning, or Info) is displayed next to the status.
-
Unknown – A problem occurred and the rule result could not be determined.
To view rule evaluation details:
-
Click an item in the results to open the Inspector Panel.
-
Review the tabs:
-
Findings – Lists all findings from the assessment.
-
Configuration – Displays the configuration file with highlighted findings.
-
Definition – Shows the Rego definition to help identify the issue.
-
Edit assessments
-
In SolarWinds Observability SaaS, click Network > Compliance. The Assessments tab lists all already created assessments.
-
Click the vertical ellipses for an assessment and select what you want to do with the assessment:
- Disable
- Evaluate
- Edit
- Duplicate
- Delete
You can also access these actions from the vertical ellipsis for individual assessment results.