Table of Contents

Policies, rules & conditions

Policies

A policy is coupled to a number of node groups. Whenever a node is checked for compliance, we therefore first check its node groups, and then all policies coupled to those node groups, and all those policies get validated on this node. A policy has the following attributes:

Rules

A policy contains one or more rules. A rule applies to a specific vendor type and either the entire config of a node, or a specific block inside the node's config. Rules contain these attributes

Conditions

A rule can have a number of conditions. There are two types of conditions: validation and logic conditions. A rule's conditions are in sequence. Together they form a condition logic that needs to comply with the rule's config block in its entirety for the rule to be compliant. A condition has the following attributes:

Compliance nodes

Policy checks are stored in as a compliance node. Each combination of node to policy is stored separately. The nccmd daemon uses it to check when it should check for compliance and its results are bundled to create reports. A compliance node has the following attributes:

A few notes: This table does not maintain history. If a compliance check for a policy is performed on a node, it will overwrite the currently existing values. If a node group is removed from a policy, all its nodes also removed from this table, unless they happen to be present in a different node group. The nccmd daemon will do this, so the deletion won't be instantaneously, but every five minutes the daemon will go through the Compliance node table and clean up the obsolete records. The flags for this are stored in the Nccm Lookup, under the Cmpl_policy_update tweak. Its Str_value will contain a comma-separated list of all policies that need to be evaluated.

In the same way, if you update a policy, its nodes area also automatically re-evaluated for compliance to see if they are still compliant to the policy's new definitions. This also goes for the policy's rules and conditions.

Policy Schedules

Policy schedules are used to schedule a compliance check for a certain time, controlled by the user. Policy schedules will be available in Compliance Phase 2. A policy schedule has the following attributes:

Command replies

Command replies store the result of a command, defined as a command rule. There is no history in this table. Here are its attributes: