@itentialopensource/configuration-compliance-and-r

Configuration Compliance and Remediation

Overview
Features
Components Workflows Operations Manager Job
Requirements
Known Limitations
How to Install
How to Run
Job Variables
Test Environment

Overview

The Configuration Compliance and Remediation pre-built allows network engineers to run scheduled compliance reports to check the compliance of devices against a specified Golden Configuration. If the compliance score has fallen under a customizable value for any given device, the pre-built will automatically take a backup of this device and try to automatically remediate the configuration back to the specified state. A report of all changes is shown to a network engineer.

Components

This pre-built is comprised of a set of modular components intended to modularize and simplify the remediation process to suit your device and environment.

Workflows

1) Parent flow

This workflow backs up the device config and attempts the remediation. If verbose mode is enabled, the remediation results will be shown for every successful device remediated along with a report at the end showing the list of all the devices that were successfully & unsuccessfully remediated.

2) Remediation flow

Operations Manager Job

This pre-built can be scheduled to run in regular intervals by using operations manager. The screenshot above shows how the operations manager automation for this pre-built looks. Users can schedule periodical remediations on their configuration trees by setting the Run At and Repeats parameters in the Schedule card. The input data required for starting the workflows can be permanently set to a value by setting the values in the form on the right hand side (Please check How to Run for instructions on filling the form).

Features

Schedules the weekly creation of a compliance report of all devices grouped under a Configuration Tree
Devices that have fallen under a customizable compliance score are auto remediated to bring them back into compliance
Includes example Configuration Trees for different device types
Modular Design
Zero touch option executes automation end to end without any manual tasks (no reports)
User customizable disallowed configuration removal
User customizable threshold compliance score for remediation approval

Requirements

In order to use the device connection health check pre-built, users will have to satisfy one of the following pre-requisites:

Itential Automation Platform ^2022.1

Known Limitations

At the time of this writing, the pre-built is limited to the device types your chosen southbound system supports

How to Install

Please ensure that you are running a supported version of the Itential Automation Platform (IAP) as listed above in the requirements section in order to install the Configuration Compliance and Remediation pre-built. Simply search for config-compliance-and-remediation within app-admin_essentials > pre-builts > browse and click the install

How to Run

Operations Manager

As a starting point, this pre-built assumes that the devices that you are trying to remediate are already configured and up and running. The remediation process can be started through Operations Manager. First, select the target configuration tree from the drop-down list of available trees. Next, supply the minimum compliance score (between 0-100) for the remediation result to be considered acceptable. Finally, check/uncheck the check box to enable/disable disallowed configuration removal during the remediation process

Zero Touch and Verbose Mode

Zero Touch: Enable zero touch to perform the entire remediation process without any interaction necessary. Please note that you should still monitor remediation process, and that any errors encountered will still need your attention in order to handle.
Verbose Mode: Enable verbose mode in order to view the remediation reports throughout the remediation process.

When you are ready to initiate the upgrade process, press the RUN button to begin.