Rules

NCCM’s default package includes the following Policy Compliance standards:

However, NCCM allows users to customize the default and add new Compliances using Policy rules and Rule set configurations.

PCI DSS v3.2
NIST
CIS v7
DISA
CISP

NCCM rules are defined to ensure security compliance and meet organization standards in the network. Before configuring the change in the network, the user shall check the policy violations of the configurations through a review process to avoid violations. There are four types of rules.

They are:

Device Configuration Check: The configuration of the device can be checked (Full or Block)
Network Review: Network Review Check (must be configured first)
OS Version Check: OS check is performed every day (Default configuration)
Startup vs. Running: Comparison check between the Baseline and current configuration to detect any discrepancy.

What you see on the screen

The Rules page in NCCM is a privilege-based feature, meaning users can access, view, add, edit, delete, execute, and export rules only if the administrator has assigned the appropriate roles and privileges.

The page displays all the rules available in NCCM and provides several action icons for user interactions:

Action Icons | Rules |

Label

Action

Description

Search for a specific rule using fields like Rule ID, name, or description.

The search is not case-sensitive and supports partial word matches. For instance, entering "Pass" or "pass" in the description fetches results containing the word "password."

Filter

Apply filters based on fields and conditions from the dropdown menu.

Fields include Job Name, Job Type, Status, and Business Hours. Conditions include "in" or "not in."

Export

Export the Rule configuration page.

Download the rule data as a JSON file.

Add

Add a new rule to NCCM.

Three methods allow you to create rules: Add a Configuration Rule, Import JSON, or Import a configuration rule from an older NCCM version.

Enable

Enable selected rules to make them functional.

Rules must be enabled for execution and to be used in configurations.

Disable

Disable selected rules to render them inactive.

Disabled rules remain dormant but can be re-enabled later.

Copy

Duplicate an existing rule.

Use this option to copy a rule and create a similar one with modifications.

Edit

Modify the details of an existing rule.

Added rules can be edited to make necessary changes. From the Rules page, click the Rule ID to navigate to the ‘Edit Rule’ page or select the rule and click ‘Edit’ to redirect to the edit rule window. Make changes as necessary and click ‘Save’ to save the changes.

Delete

Remove a rule permanently from NCCM.

Deletes the selected rule from the system.

Add Rule

This is a privilege-based feature: The user can access, view, add, edit, delete, execute, and export only if the administrator has given them privileges. These will be defined under roles and privileges.

Click on the plus (+) icon at the top right corner of the ‘Rules’ home page to navigate to the ‘Add Rule’ page. Adding a Rule has three steps:

Rule Information - where the basic rule information, like the Compliance standard, rule type, etc., is configured.
Match Criteria – Where the Rule Match scope and Criteria are configured.
Remedy Action – Where alarms and Remedy actions (if any) are configured.

Rule Information | Add Rule |

The Rule Information page lets users configure basic information like Rule Name and Type. Follow the instructions below to add rule information.

Label

Step

Description

Rule Name

Provide a name for the Rule.

For example, Password Encryption (this is mentioned in section 1.1.5 of the PCI DSS v3.2. The section number is added in the name for easy reference).

Description

Provide a brief description of the compliance/rule

As per the, e.g., taken here, the password encryption rule is a part of PCIDSSv3.2. The same is added as a description. If the rule is a part of baseline compliance, the description can be added here.

Vendor

Select Vendor using the dropdown menu.

As per the, e.g., taken here, select ‘Checkpoint’

OS Type

Select OS Type using the dropdown menu.

OS Version

Select OS Version using the dropdown menu.

Compliance Standard

Mention the compliance standard to which this rule belongs.

As per the, e.g., taken here, 1.1.5 of PCIDSSv3.2.

Compliance Details

Provide a brief description of the compliance.

As per the, e.g., taken here, 1.1.5 of PCIDSSv3.2 states, ' The network element must be configured to ensure passwords are not viewable when displaying configuration information.’ The same is added as a description.

Rule Type

Select Rule Type using the dropdown menu.

Select the rule type from the default options provided (Additional fields appear based on the selection).

Configuration*

Select configuration (to perform a check) from the options available.

Applicable only for the ‘Device Configuration Check’ Rule Type. If ‘Command Execution’ is selected, select the command script using the dropdown menu or provide commands manually.

Status

Select Rule Status using the dropdown menu.

Status must be enabled for the rule to be active.

Click Next to navigate to Match Criteria.

Match Criteria | Add Rule |

The Match Criteria Page lets users configure the rule's condition and match criteria. The steps for adding criteria for ‘Device Configuration Check’ differ from other Types.

Match Criteria for Device Configuration Check

Label

Step

Description

Scope

Select the scope of the match using the dropdown menu

If the Rule Type is ‘Device Configuration’, select one of the options below:

Full Configuration – Performs check on full Configuration.
Selected Lines—This option performs a check on selected lines of the Configuration. To perform the check, select Lines to Include and ignore. The regex pattern selection option is also available.
Selected Blocks—Performs a check on selected blocks of the Configuration. Select Start and End Block, Blocks to Include, and Ignore to perform the check. The regex pattern selection option is also available.
Ignore Case - Check box to remove case sensitivity

Ignore Pattern

Provide the commands that are to be ignored while applying this rule.

Input the text/pattern to be ignored in the configuration

Match Condition

Select the separator and choose the condition to match

Select Group separator (if multiple conditions are to be applied).
Select the condition using the dropdown menu. (The condition can be an exact match, Substring match, or Regex pattern match)
Select the ‘And/Or’ option (if multiple conditions are added)

Match Text / Pattern *

Mention the text/pattern to be matched in the configuration

Input the text/pattern to be matched in the configuration.

Ignore Whitespace and Ignore Case - Check boxes to ignore whitespace and case sensitivity.

Match Occurrence

Select Match Occurrence within the Execution Scope using the dropdown menu.

The above-given conditions' match occurrence within the execution scope can be configured using this option. Choose from ‘Only Once, At least Once, and Not Matching.’

Select Group separator closure (if multiple conditions are to be applied).

Click ‘Add’ to add this condition. Follow the above steps to add multiple conditions.

Note:

Added conditions can be edited by clicking ‘Edit’ before saving the rule.
Select the match condition and click ‘Delete’ to remove the match condition.
The sequence of the Match conditions can be changed by using the ^ and v buttons.

Note: Rule is considered complied only when Match Text/Pattern meets the Match Occurrence in the selected Execution Scope.

After all the conditions are added, click ‘Next’ to continue with Remedy Action.

Match Criteria for ‘Network Review, OS Version Check & Startup vs. Running’ Rule Types

Label

Step

Description

Scope

The scope is displayed by default

The scope is auto-populated based on the Rule Type selected.

Match Text/Pattern *

Mention the text/pattern to be matched in the configuration

Input the text/pattern to be matched within the Network, OS, or Startup/Running configurations.

Match Occurrence

Select Match Occurrence within the Execution Scope using the dropdown menu

Only one match occurrence option is available for these Rule Types.

Click ‘Next’ to continue with Remedy Action.

Note:

The rule is complied only when the Match Text/Pattern meets the Match Occurrence in the selected Execution Scope.
If the Rule is private, only those with privileges can view it. The Match criteria will be changed based on the rule type.

Remedy Action | Add Rule |

NCCM can also add a rule and remediation action (for when the rule is violated). In case of a rule violation, an alarm trigger and notification can be configured. NCCM supports the configuration of Remediation action, which will be performed automatically.

Label

Step

Description

Alarms

Violation Severity

Select severity from Critical, Major, or Minor

The colour codes (notifiers) are based on the severity of the rule violation selected here.

Rule Violation Message

Provide a message about the violated rule.

Give a brief description of the rule violation. For Example, ‘Password not Encrypted’.

Notifier

Select the notifier using the dropdown menu.

Select the name of the person who must be notified of the violation.

Remediation

On Violation, Perform

Select the action to be performed when the rule violation is detected.

Based on the rule, the remediation action can be selected. As the above example, NCCM can run a script to encrypt the password. However, there are four action options (as applicable) available on NCCM:

Rollback to Baseline – Rolls back the configuration to the baseline configuration.
Rollback to Previous – Rolls back the configuration to the previous configuration.
Script Execution - Executes the given script
OS Upgrade - Runs an upgrade for the OS

Remediation Comments

Provide comments about the remediation action.

Applicable if rollback is selected in the previous step

Continue next Command on Error

Yes/No

If “yes,” the system proceeds with the next set of commands, even if one of the commands throws an error.

If “No,” the system stops the execution as and when an error occurs in the command.

Once all tabs (Rule Information, Match Criteria & Remedy action) have been added, click ‘Save’ to save the Rule. A unique Rule ID is created.

Click ‘Back’ to navigate the Match Criteria tab or ‘Cancel’ to abort the operation.

Note: When a Rule is violated, Remediation action is performed by adding a job, i.e., ‘Upload job.’

PreviousWorkflow Jobs NextRule Group

Last updated 1 month ago