Skip to main content

Suppose you are using NQE queries to validate that your networking devices follow certain configuration benchmarks. You have an individual query for each benchmark, but you would also like a summary query that shows how each device in the network performs against every check. Here is how you can combine them.

Below are two separate NQE queries that validate that the password policies on Cisco ASA devices require a minimum number of numbers and a minimum number of special characters, respectively.

In each query, we define a function using the export command that takes in a Device as a parameter. export minNumber(device: Device) Then we call that function later in the same query with minNumber(device). This allows the query to be run on its own or part of another query.

We save each file as min-numeric and min-special.

pattern = ```
password-policy minimum-numeric {minNum:number}
```;

checkPattern(config) = (max(blockMatches(config, pattern)))?.data?.minNum >= 1;

export minNumber(device: Device) =
foreach x in x0]
select {
device: device.name,
os: device.platform.os,
violation: !checkPattern(device.files.config)
};

foreach device in network.devices
where device.platform.os == OS.ASA
foreach record in minNumber(device)
select record
pattern = ```
password-policy minimum-special {minSpecial:number}
```;

checkPattern(config) = (max(blockMatches(config, pattern)))?.data?.minSpecial >= 1;

export minSpecial(device: Device) =
foreach x in x0]
select {
device: device.name,
os: device.platform.os,
violation: !checkPattern(device.files.config)
};

foreach device in network.devices
where device.platform.os == OS.ASA
foreach record in minSpecial(device)
select record

Once we commit the changes, click on the (i) next to the query, and copy the import statement.

We paste the import statements for both queries into a new query.

import "Christopher/min-numeric";
import "Christopher/min-special";

foreach device in network.devices
where device.platform.os == OS.ASA
select {
device: device.name,
OS: device.platform.os,
"Numeric Check": max(minNumber(device)).violation,
"Special Check": max(minSpecial(device)).violation,
}

 

We can see the results of both the minNumber and minSpecial functions in this one query. In the example below, all three Cisco ASA devices in the network fail both of the configuration checks.

 

 

 

Be the first to reply!

Reply