Compliance Check - Is Every Device Configured Right?

The Scenario

After an audit, you discover that 8 out of 50 devices are missing SNMP v3 configuration, 3 have the wrong NTP server, and 1 still has enable password instead of enable secret. You need a script that checks every device against your golden standard.

---

The Prompt

Write a Python script that checks device compliance. For each device in devices.csv:

1. SSH in and pull the running config
2. Check these compliance rules:
   - MUST have "ntp server 10.1.1.100" (NTP)
   - MUST have "snmp-server group SNMPV3GRP v3 priv" (SNMP v3)
   - MUST NOT have "enable password" (should be enable secret)
   - MUST have "service password-encryption"
   - MUST have "banner motd" (any banner)
   - MUST have "logging host 10.1.1.50"
3. Generate a compliance report: device, rule, PASS/FAIL
4. Export to CSV and print a summary showing overall compliance percentage
5. For each FAIL, include the remediation command

---

What AI Gives You

A compliance engine that checks each rule using string matching on the running config, outputs a pass/fail matrix, and suggests exact commands to fix non-compliant devices.

---

Review and Validate

• String matching works for most checks but can false-positive. "ntp server 10.1.1.100" should not match "ntp server 10.1.1.1001"
• Remediation commands: Review before auto-applying. AI might suggest commands for a different IOS version
• Extend the rules: Start with 5, add more as your security policy evolves

---

Try It Yourself

Define 5 compliance rules for your environment. Run against 3 test devices. Review the report and fix any non-compliant configs.