Documentation forSolarWinds Observability SaaS

Compliance in Configuration Management

Automate the evaluation of network device configurations against industry standards and internal policies using the Compliance feature. It helps ensure regulatory compliance, reduce security risks, and support operational best practices.

Compliance details are displayed only for "NCM nodes". If the Compliance tab displays no Compliance details for a node, log in to the web console for your Network Collector or Platform-connected SolarWinds Observability Self-Hosted and ensure that the node is an "NCM node". See Set up configuration monitoring (Network Collector) or Add nodes as NCM nodes.

Compliance is based on three components:

  • Rules – Defined using Rego, a high-level, declarative policy language used by the Open Policy Agent (OPA). Rules specify whether a device’s configuration file should or should not contain specific patterns or blocks.

  • Policies – Collections of related rules designed for a specific purpose, such as targeting a particular vendor or use case. Each policy is assigned to one or more network devices.

  • Assessments – Reports that summarize the evaluation results of applied policies and rules across devices.

SolarWinds Observability SaaS includes a set of built-in assessments, policies, and rules.

Data Retention

Evaluation results are kept for 30 days and then automatically deleted. Assessment configurations, policies, and rules are kept indefinitely.

To permanently delete all evaluation results, assessments, policies, and rules, request your data to be deleted. Contact SolarWinds support.

To access compliance information, go to Network > Compliance in SolarWinds Observability SaaS.

Create rules

Rules describe what should or should not be found in configuration files. If a rule fails, the violation appears on the Assessment details page, including the specified severity level.

  1. In SolarWinds Observability SaaS, click Network > Compliance.

  2. Click the Rules tab to access a list of already created rules.

    Built-in rules cannot be modified.

  3. Click Create rule to open the wizard.

  4. Provide the rule details:

    1. Enter a name for the rule.

    2. Select a category to save the new rule in.

      To create a new category, type a name into the Rule Category combo box.

    3. Select the severity level for the rule - Info, Warning, or Critical.

    4. Optionally, you can enter a description to explain the rule's purpose.

  5. Adjust the Rego definition of the rule. See Use Rego for defining compliance rules.

  6. Add optional remediation steps. These steps provide a hint on how to address compliance on the device violating the rule.

  7. Review the summary and submit the rule. The new rule appears in the rules list.

Use Rego for defining compliance rules

Rule definitions are based on the Open Policy Agent (OPA) and its policy language, Rego. See OPA Introduction and Policy Language for details.

Rule structure

Rules evaluate the content of a configuration file. Rules must not access external resources, such as HTTP requests.

Each rule must follow a specific structure and include required elements:

  • Package declaration: Each rule must begin with a package __RULE__ declaration.

  • Outputs:

    • passing – Indicates whether the rule passed.

    • details.findings – Provides context for the rule’s result, such as matched patterns and line numbers.

    • details.blocks – Use standard functions as defined by OPA. See Rule functions.

    • error (optional) – You can define an error state for specific results produced by the evaluation condition. See Policy Language for details.

Example rule

package __RULE__

import rego.v1

default passing := false

passing if {
    count(blocks) > 0
    every i, _ in blocks { passings.blocks[i] }
}

details.findings contains findings.patterns[_].blocks[i] if not passings.blocks[i]
details.blocks[i] := {"start": blocks[i].start, "end": blocks[i].end} if not passings.blocks[i]

blocks := config.split(input.config, `ip vrf CUST1`, `!`)

passings.patterns[0].blocks[i] if findings.patterns[0].blocks[i].line >= 0
findings.patterns[0].blocks[i] := {"type": "contains", "pattern": pattern, "block": i, "line": line} if {
    pattern := `rd 13:13`
    line := config.find_line(blocks[i].content, pattern)
}

passings.patterns[1].blocks[i] if findings.patterns[1].blocks[i].line >= 0
findings.patterns[1].blocks[i] := {"type": "contains", "pattern": pattern, "block": i, "line": line} if {
    pattern := `route-target export 13:13`
    line := config.find_line(blocks[i].content, pattern)
}

passings.patterns[2].blocks[i] if findings.patterns[2].blocks[i].line >= 0
findings.patterns[2].blocks[i] := {"type": "contains", "pattern": pattern, "block": i, "line": line} if {
    pattern := `route-target import 13:13`
    line := config.find_line(blocks[i].content, pattern)
}

passings.blocks[i] if {
    passings.patterns[0].blocks[i]
    passings.patterns[1].blocks[i]
    passings.patterns[2].blocks[i]
}

# passing if patterns[0] AND patterns[1] AND patterns[2]

Example rule output

Blocks or findings identified during the evaluation process are highlighted in the Rule Evaluation Details panel.

"details": {
        "blocks": [
          {
            "end": 32,
            "start": 30
          },
          {
            "end": 34,
            "start": 32
          },
        ],
        "findings": [
          {
            "block": 0,
            "line": 31,
            "pattern": "route-target export 13:13"
          },
          {
            "block": 1,
            "line": 33,
            "pattern": "route-target export 13:13"
          },
          { 
            "line": 40, // this pattern was found outside of block
            "pattern": "rd 13:13"
          },
      ]
}

Rule functions

You can use all standard functions as defined in the OPA. See Built-in Functions in the OPA documentation.

Functions that attempt to use external inputs, such as HTML requests, are not permitted.

Additional built-in functions

Function Description
config.split(content, start_pattern, end_pattern)

Splits configuration into blocks based on start and end patterns. The start pattern is inclusive; the end pattern is exclusive.
config.split_regex(content, start_pattern, end_pattern) Same as config.split, but uses regular expressions for pattern matching.
config.find_line(content, pattern) Finds the first line in the content that contains the specified pattern.
config.find_line_regex(content, pattern) Finds the first line in the content that matches the specified regular expression.

Create policies

Built-in policies cannot be modified. You can only change the network devices they are assigned to.

  1. In SolarWinds Observability SaaS, click Network > Compliance.

  2. Click the Policies tab to view existing policies.

  3. Click Create policy to open the wizard.

  4. Provide the policy details:

    1. Enter a name.

    2. Select a category where the new policy should be saved.

      To create a new category, type a name into the Policy Category combo box.

    3. Optionally, you can select the Configuration Type you want to apply the policy on - Any, Running, or Startup.

    4. Optionally, you can enter a description to remember why the policy was created.

  5. Select rules to be included in the policy.

  6. Select network devices you want to assign the policy to.

    Only network devices with enabled configuration management are listed.

    • All network devices – Apply the policy to all NCM nodes.

    • Select network devices – Select specific network devices.

    • Dynamic selection – Use a query to specify network devices for the policy.

      For example, to apply the policy on all Cisco network devices, type vendor:Cisco into the box and click Search.

  7. Review the summary and submit the new policy. The policy will appear in the list.

Create assessments

Built-in assessments cannot be modified or deleted.

  1. In SolarWinds Observability SaaS, click Network > Compliance.

  2. The Assessments tab lists all already created assessments.

  3. Click Create Assessment to open the wizard.

  4. Provide the assessment details:

    1. Enter a name.

    2. Select a category to save the assessment in.

      To create a new category, type a name into the Assessment Category combo box.

    3. Optionally, you can enter a description to explain the assessment's purpose.

  5. Select policies to be included in the assessment.

  6. Review the summary and submit the new assessment. The assessment will appear in the list.

View the compliance overview

Review assessment results for all NCM nodes in your environment.

  1. In SolarWinds Observability SaaS, click Network > Compliance.

  2. Review the summary widgets:

    1. Rule Evaluation Summary - results summary based on the evaluation outcome

    2. Rule Violations by Severity - severity distribution of violating rules

    3. Network Devices Affected - percentage of non-compliant devices

  3. Review the Top 10 widgets for device-level details.

    1. Click a row with the device to view the device details in the Inspector Panel.

    2. Click a device name to open the Compliance overview for the device.

  4. Review the Top 10 policies widgets to see compliance results grouped by policies. Click a policy row to display the policy details in the Inspector Panel.

View compliance for a device

Compliance details are only available for "NCM" nodes.

  1. In SolarWinds Observability SaaS, go to a network device details view.

  2. Click the Compliance tab and review:

    • Rule Evaluation Summary

    • Rule Violations by Severity

    • Policies and rules relevant for the device.

      • Use the Group by drop-down to change the view.

      • Click an item in the table to see more details.

View results for individual assessments

Assessments run automatically when created, edited, updated with new configurations, or manually re-evaluated.

  1. In SolarWinds Observability SaaS, click Network > Compliance, and then open the Assessments tab.

  2. Click an assessment row to see the Inspector Panel with the assessment name, category, and policies.

  3. Click an assessment name to view its results. Review the assessment status, last evaluated timestamp, assessment category, and description.

  4. On the assessment details view, you can switch between network devices and policies.

    • List of network devices: By default, results are grouped by network devices included in the assessment. Expand a device to see results of individual rules.

    • List of policies: To group results by policies, select Group by: Policies in the search area. The page now displays a list of policies in the assessment, with the summary of rules grouped by their status. Expand a policy to see the list of rules and the rule status on each device.

Rule statuses

  • Passing – No violations found during the evaluation.

  • Violating – A rule was violated. The severity (Critical, Warning, or Info) is displayed next to the status.

  • Unknown – A problem occurred and the rule result could not be determined.

View rule evaluation details

  1. Click a rule to open results in the Inspector Panel.

  2. Review the tabs:

    • Findings – Lists all findings from the assessment. Click a finding to display the relevant configuration line or block in the Configuration tab.

    • Configuration – Displays the configuration file with highlighted findings.

    • Definition – Shows the Rego definition to help identify the issue.

    • Remediation – Shows remediation if defined for the rule.

Edit assessments

  1. In SolarWinds Observability SaaS, click Network > Compliance and open the Assessments tab.

  2. Click the vertical ellipses for an assessment and select what you want to do with the assessment:

    • Disable: Disables the assessment.

    • Evaluate: Starts the evaluation.

    • Edit: Launches the wizard. Make your changes and complete the wizard.

    • Duplicate: Opens a copy of the assessment in the wizard. Adjust the assessment and complete the wizard.

    • Delete: Deletes the assessment.

    3. Available actions depend on the assessment type (built-in or custom) and on user permissions.