SOLVED
This issue needs lab intervention, can you log a case with HPE Support by using the below link:
https://support.hpe.com/hpesc/public/home/
Thanks!
Hello,
I've done this before for one project, and can share some experience in this regard, as it can be one of the more complex use cases for Compliance Policy. The challenge here is that you need to ensure not only all "ip authorized-managers" entries exist in the config, but no additional entries are present that shouldn't be there. In my case there was also a variable IP address in the authorized list (the default gateway of the switch) that needed to be matched.
This can be done with two rules. First, a Basic Strict Match that includes all lines which should exist in the match pattern, including a variable for the default gateway IP, which would look like:
ip authorized-managers 10.10.10.10 255.255.255.255 access manager access-method ssh
ip authorized-managers ${DefaultGateway} 255.255.255.255 access manager access-method ssh
...and so on, in the order these entries are shown in the config. We need to tell IMC how to get this variable information from the device config, which we would do by extracting it from the "ip default-gateway" line using RegEx with a capturing group (
This will look for тАЬip default-gatewayтАЭ in the configuration, followed by four octets of 1-3 characters from 0-9, each of which (except the last) ends with a тАЬcharacter that is not a whitespace characterтАЭ, indicated by \S. Note we cannot use \. instead, because iMC only allows numbers and letters in the capturing group. The last octet should end with a word boundary indicated by \b.
The rule will fail if the device config does not exactly match, so any unexpected тАЬip authorized-managersтАЭ entries between the expected lines would be caught by the rule. The limitation here is that any тАЬip authorized-managersтАЭ lines before or after the expected ones would not cause the rule to fail.
This limitation could be worked around in one of several ways:
тАв Include the lines before and after the тАЬip authorized-managersтАЭ segment of the configuration. The concern here is that these lines might differ across devices, so it's not reliable.
тАв Create an additional rule that uses Advanced Match (Excluded) with a negative lookahead in RegEx to ensure no тАЬip authorized-managers <ip-address>тАЭ entries exist that should not be there.
For example:
ip authorized-managers (?!10\.10\.10\.(10|20|30)|192\.168\.10\.(10|20)|Gateway)
Note that the word тАЬGatewayтАЭ would need to be replaced with the gateway IP for the devices that need to be checked, in a RegEx format matching the other IP addresses. If you don't need this, it will be simpler for you, and you can just leave it out.
The check would fail if any тАЬip authorized-managersтАЭ lines exist that are not followed by one of the IP addresses in the negative lookahead. The limitation here is that the gateway cannot be filled in automatically using a variable, so a separate policy would need to be created for each set of devices that is using the same gateway.
Hope that makes sense and helps you get the policy working.
Justin
Working @ HPE