Table of Contents

Config blocks

In order to parse parts of a config, configs are split up into blocks. Conditions with the type ConfigBlock will then parse against these blocks. These blocks can be selected by the Rule_start and Rule_end properties of the rule. These string can also be regular expressions. If multiple blocks match, all of them will be evaluated for compliance. Rule_start will match the first line of the block.

In general, config blocks are split up based on indentation. Also logical block ends are empty lines or lines only containing a ! or a #. Blocks can be hierarchical, so blocks within blocks will also work. In this case the block also has a path, which consists out of its and all of its parents' first lines concatenated together, which you can select with your Rule_start.

Junos

Junos configs are heavily indented and therefore their blocks will be very hierarchical and quite a lot of sub blocks all start with the same text. For this, you should select the blocks you want to check by their paths.

Ciena

Ciena configs contain blocks like:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! RCOS QUEUE MAP CONFIG:
!
traffic-services queuing queue-map create rcos-map NNI-NNI
traffic-services queuing queue-map set rcos-map NNI-NNI rcos 1 queue 1
traffic-services queuing queue-map set rcos-map NNI-NNI rcos 2 queue 2
traffic-services queuing queue-map set rcos-map NNI-NNI rcos 3 queue 3
traffic-services queuing queue-map set rcos-map NNI-NNI rcos 4 queue 4
traffic-services queuing queue-map set rcos-map NNI-NNI rcos 5 queue 5
traffic-services queuing queue-map set rcos-map NNI-NNI rcos 6 queue 6
traffic-services queuing queue-map set rcos-map NNI-NNI rcos 7 queue 7

Blocks can be matched against their title (in this case RCOS QUEUE MAP CONFIG). Also there is no hierarchy.

Checkpoint

Checkpoint configs lack any sort of indentation or logical spacing. Instead the parser looks at the starting keywords, and groups blocks together, regardless of whether they are preceded by “add” or “set”.

So for example the following piece of config:

set inactivity-timeout 10
set expert-password-hash $1$cBBBDBBW$FmeO/rhfGDhZpHlKM4ROO1
set user admin shell /bin/bash 
set user admin password-hash $1$R5wwe24I$8mFvR4y7rxuwVIDBcI6E/. 
set user monitor shell /etc/cli.sh 
set user monitor password-hash * 

Will be split up like:

set inactivity-timeout 10

set expert-password-hash $1$cBBBDBBW$FmeO/rhfGDhZpHlKM4ROO1

set user admin shell /bin/bash 
set user admin password-hash $1$R5wwe24I$8mFvR4y7rxuwVIDBcI6E/. 

set user monitor shell /etc/cli.sh 
set user monitor password-hash * 

And the following piece with interfaces:

set timezone America / New_York 
set interface eth0 state on 
set interface eth0 auto-negotiation on 
set interface eth0 ipv4-address 192.168.178.40 mask-length 24 
set interface eth1 state off 
set interface eth2 state off 
set interface eth3 state off 
set interface lo state on 
set interface lo ipv4-address 127.0.0.1 mask-length 8 

Will be split like:

set timezone America / New_York 

set interface eth0 state on 
set interface eth0 auto-negotiation on 
set interface eth0 ipv4-address 192.168.178.40 mask-length 24 

set interface eth1 state off 

set interface eth2 state off 

set interface eth3 state off 

set interface lo state on 
set interface lo ipv4-address 127.0.0.1 mask-length 8