Table of Contents
Config blocks
In order to parse parts of a config, configs are split up into blocks. Conditions with the type ConfigBlock will then parse against these blocks. These blocks can be selected by the Rule_start and Rule_end properties of the rule. These string can also be regular expressions. If multiple blocks match, all of them will be evaluated for compliance. Rule_start will match the first line of the block.
In general, config blocks are split up based on indentation. Also logical block ends are empty lines or lines only containing a ! or a #. Blocks can be hierarchical, so blocks within blocks will also work. In this case the block also has a path, which consists out of its and all of its parents' first lines concatenated together, which you can select with your Rule_start.
Junos
Junos configs are heavily indented and therefore their blocks will be very hierarchical and quite a lot of sub blocks all start with the same text. For this, you should select the blocks you want to check by their paths.
Ciena
Ciena configs contain blocks like:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! RCOS QUEUE MAP CONFIG: ! traffic-services queuing queue-map create rcos-map NNI-NNI traffic-services queuing queue-map set rcos-map NNI-NNI rcos 1 queue 1 traffic-services queuing queue-map set rcos-map NNI-NNI rcos 2 queue 2 traffic-services queuing queue-map set rcos-map NNI-NNI rcos 3 queue 3 traffic-services queuing queue-map set rcos-map NNI-NNI rcos 4 queue 4 traffic-services queuing queue-map set rcos-map NNI-NNI rcos 5 queue 5 traffic-services queuing queue-map set rcos-map NNI-NNI rcos 6 queue 6 traffic-services queuing queue-map set rcos-map NNI-NNI rcos 7 queue 7
Blocks can be matched against their title (in this case RCOS QUEUE MAP CONFIG). Also there is no hierarchy.
Checkpoint
Checkpoint configs lack any sort of indentation or logical spacing. Instead the parser looks at the starting keywords, and groups blocks together, regardless of whether they are preceded by “add” or “set”.
So for example the following piece of config:
set inactivity-timeout 10 set expert-password-hash $1$cBBBDBBW$FmeO/rhfGDhZpHlKM4ROO1 set user admin shell /bin/bash set user admin password-hash $1$R5wwe24I$8mFvR4y7rxuwVIDBcI6E/. set user monitor shell /etc/cli.sh set user monitor password-hash *
Will be split up like:
set inactivity-timeout 10 set expert-password-hash $1$cBBBDBBW$FmeO/rhfGDhZpHlKM4ROO1 set user admin shell /bin/bash set user admin password-hash $1$R5wwe24I$8mFvR4y7rxuwVIDBcI6E/. set user monitor shell /etc/cli.sh set user monitor password-hash *
And the following piece with interfaces:
set timezone America / New_York set interface eth0 state on set interface eth0 auto-negotiation on set interface eth0 ipv4-address 192.168.178.40 mask-length 24 set interface eth1 state off set interface eth2 state off set interface eth3 state off set interface lo state on set interface lo ipv4-address 127.0.0.1 mask-length 8
Will be split like:
set timezone America / New_York set interface eth0 state on set interface eth0 auto-negotiation on set interface eth0 ipv4-address 192.168.178.40 mask-length 24 set interface eth1 state off set interface eth2 state off set interface eth3 state off set interface lo state on set interface lo ipv4-address 127.0.0.1 mask-length 8