Customize baseline configuration profiles

A baseline configuration compliance profile contains a set of commands to be run on the device upon analysis and the desired output for the commands, allowing you to determine the device's compliance with a certain basic configuration. In order for a device's report to include a baseline configuration compliance report page, a baseline configuration compliance profile must be specified for the device when defining the device in AFA. See Manage devices.

AFA includes a set of built-in baseline configuration compliance profiles suitable for all device brands which appear as options in the Baseline Configuration Compliance Profile drop-down list and in the /usr/share/fa/data/baseline_profiles/ directory.

If desired, you can create custom baseline compliance profiles.

Access baseline profiles configuration

Do the following:

  1. In the toolbar, click your username.

    A drop-down menu appears.

  2. Select Administration.

    The Administration page appears, displaying the Options tab.

  3. Click the Compliance tab.

    The Compliance tab appears, displaying the Risk Profiles sub-tab.

  4. Click the Baseline Profiles sub-tab.

    A list of baseline profiles appears.

Back to top

Add a custom baseline configuration compliance profile

Do the following:

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Click New.

    The baseline profile form appears.

  3. Complete the fields using Example: Customize a baseline configuration compliance profile.

  4. Click Save.

The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Back to top

Duplicate a baseline configuration compliance profile

You can create a custom baseline configuration compliance profile by duplicating an existing baseline profile and editing the duplicate.

Do the following:

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Select one of the baseline profiles.

  3. Click Duplicate.

    The baseline profile form appears with the values of the original profile.

  4. Edit the fields, as desired, using Example: Customize a baseline configuration compliance profile.

    Note: To prevent the creation of two baseline profiles with the same display name, change the Profile Name.

  5. Click Save.

    The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Back to top

Edit a baseline configuration compliance profile

You can create a custom baseline configuration compliance profile by editing an existing baseline profile.

Note: The original baseline profile will not be over-written, but it will not be available to use unless you delete the new custom baseline profile.

Do the following:

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Select a baseline profile.

  3. Click Edit.

    The baseline profile form appears.

  4. Edit the fields using Example: Customize a baseline configuration compliance profile.

  5. Click Save.

    The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Back to top

Delete a custom baseline configuration compliance profile

Note: You can only delete custom baseline profiles. Custom baseline profiles are indicated with a in the Customized field.

Do the following:

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Select one of the custom baseline profiles.

  3. Click Delete.

  4. Click OK.

Back to top

Example: Customize a baseline configuration compliance profile

The following is an example of adding an additional command and baseline requirement to an existing Cisco baseline profile.

  1. Access the Baseline Profile configuration area. For details, see Access baseline profiles configuration.

  2. Select a baseline profile.

    In this example, we selected the Cisco ACE Sample profile. The profile is highlighted in blue.

  3. Click Edit.

    The baseline profile form appears.

  4. To add a command to the profile:

    1. Click Commands (CommandDef).

      The Commands area is highlighted in blue.

    2. In the Add Subelement menu on the right side of the workspace, click Command.

      An additional Command window appears in the profile.

      Note: You can click X at anytime to remove a Top Element, Subelement, or Attribute from the profile.

  5. In the Add Attribute menu on the right side of the workspace, click attributes to add to the command. Available options are id (Command ID), name (Command Name), and cmd (Command Syntax). For details, see Command.

  6. Fill in attribute fields.

    Note: The Command ID must be unique.

  7. To add a baseline requirement to the profile:

    In the Add Top Element menu on the right side of the workspace, click BaselineRequirement.

    A additional Baseline Requirement window appears in the profile.

  8. In the Add Subelement menu on the right side of the workspace, you can add the following subelements in hierarchical order:

    • Command
    • Criterion
    • Line (Item)

    For more details, see Tag Reference,

  9. Click Add Attribute to add attributes to the baseline requirement or any of the subelements.

  10. Fill in attribute fields.

    Note: The Command ID must be unique.

  11. Click Save.

Tag Reference

This reference describes the use of each tag in the baseline configuration compliance profile. The tags are listed in the same order as they appear in the file.

Tag syntax is presented as follows:

  • All parameters are presented in italics.
  • All optional elements of the tag appear in square brackets [ ].

Syntax

BaselineProfile brand_id="id" display_name="name"

Description

This is the main tag for the baseline compliance profile, and it identifies the profile.

Parameters

brand_id

String. The brand ID of the device brand relevant to the baseline configuration compliance report.

The brand_id for each device brand is configured in the brand's brand_config.xml file in /usr/share/fa/data/plugins/brand_name. See the Id parameter in the DEVICE tag.

display_name

String. The name of the baseline configuration compliance profile.

The name will appear at the head of the Baseline Configuration Compliance Report.

Subtags

Example

The following example describes a baseline profile for a Cisco ASA device with the name "Cisco ASA".

BaselineProfile brand_id="asa" display_name="Cisco ASA"

SyntaxCommandsDefDescription

This tag specifies the sequence of commands that AFA should run on the device during analysis.

Parameters

None.

Subtags

Syntax

BaselineRequirement name="name" id="id"

Description

This tag specifies a requirement that the device must meet in order to be considered "in compliance". The requirement consists of a list of required outputs for the commands that AFA will run on the device, specified in the CommandsDef (see CommandsDef) tag.

Parameters

name

String. The requirement's name.

Note: Name must not exceed 255 characters.
id

Integer. The requirement's ID and order number.

Commands are displayed in numerical order in the Baseline Compliance Report.

Subtags

ExampleBaselineRequirement name="First" id="1"

Syntax

Command id="id" [name="name"] cmd="cmd"

Description

This tag specifies a command that AFA should run on the device.

Parameters

id

Integer. The command's ID and order number.

Commands are implemented in numerical order.
name

String. The command's name.
cmd

String. The command that AFA should run on the device.

Subtags

ExampleCommand id="1" name="Check Access" cmd="show access-list"

Syntax

Criterion type="type"

Description

This tag specifies a criterion that the command output must meet.

Parameters

type

String. The criterion type. This can be any of the following:

  • Required Line. The line specified in the Item sub-tag must be present in the command output.
  • Required Regexp. The regular expression specified in the Item sub-tag must be present in the command output.
  • Forbidden Line. The line specified in the Item sub-tag must not be present in the command output.
  • Forbidden Regexp. The regular expression specified in the Item sub-tag must not be present in the command output.
  • Custom Function. The custom function specified in the Item sub-tag must return true when run on the command output.
  • Manual Review. The regular expression or line specified in the Item sub-tag will be searched for in the command output.

Subtags

ExampleCriterion type="Custom Function"

Syntax

Item [comments="comments"]

Description

This tag specifies information about a criterion that the command output must meet.

Parameters

comments

String. Comments about a criterion that the command output must meet.

Contents

This tag contains further details about a criterion that the command output must meet.

Subtags

None.

Example

<Item comments="first required line for command 2">extended permit ip 207.193.122.0 255.255.255.0</Item>

Syntax

BaselineHeader title="title"

Description

This tag specifies information about the header text of the Baseline Compliance Report.

Parameters

title

String. The title that should appear in the header section of the report page.

Contents

This tag contains the header text that should appear in the Baseline Compliance Report.

Subtags

None.

Example<BaselineHeader title="Introduction">Introduction to the report</BaselineHeader>

Syntax

BaselineFooter title="title"

Description

This tag specifies information about the footer text of the Baseline Compliance Report.

Parameters

title

String. The title that should appear in the footer section of the report page.

Contents

This tag contains the footer text that should appear in the Baseline Compliance Report.

Subtags

None.

Example<BaselineFooter title="Summary">Summary of the report</BaselineFooter>

Sample Baseline Configuration Compliance Profile

<BaselineProfile display_name="Custom Profile" brand_id="asa">     

<CommandsDef>           

<Command id="1" name="Check Access" cmd="show access-list" />     

</CommandsDef>     

<BaselineRequirement name="First" description="This is first requirement."
id="1">           

<Command id="1">                 

<Criterion type="Required Line">                      

<Item comments="">extended permit ip 207.193.122.0 255.255.255.0</Item>                      

<Item comments="">extended permit tcp object-group</Item>                 

</Criterion>                 

<Criterion type="Required Regexp">                       

<Item>.*\.company\.com</Item>                 

</Criterion>                 

<Criterion type="Forbidden Line">                       

<Item>extended deny ip host 100.77.20.9 192.168.52.0</Item>                 

</Criterion>                 

<Criterion type="Custom Function">                       

<Item>perl /home/shira/.fa/check_resolv.pl</Item>                 

</Criterion>           

</Command>     

</BaselineRequirement>     

<BaselineHeader title="Introduction">Introduction to the report - freetext
</BaselineHeader>     

<BaselineFooter title="Summary">Summary of the report - freetext
</BaselineFooter></BaselineProfile>

Back to top