Cisco Compliance Audit Runbook

Cisco IOS-XE Compliance Audit: One-Page Runbook¶

This runbook is a compact operational guide for change windows and the v4.0 remediation lifecycle workflow.

Version Alignment

This runbook reflects Cisco IOS-XE Compliance Auditor v4.0 (March 2026).

Primary deep dive:

Cisco IOS-XE Compliance Audit

Scope¶

Use this workflow to:

Run audits and generate reports
Review remediation packs
Approve or reject remediation packs with change control metadata
Apply one approved pack or all approved packs
Re-verify compliance posture after implementation

Pre-Checks (Start Here)¶

Confirm Linux/macOS/WSL execution environment (no native Windows PyATS runtime).
Confirm config and inventory paths are correct.
Confirm credentials are available (keyring, environment variables, or prompt).
Confirm remediation execution policy in YAML if you plan to apply changes.
If required, enable ROI settings in audit_settings.roi.

Standard Operating Procedure¶

1) Run Baseline Audit¶

python -m compliance_audit -c compliance_audit/compliance_config.yaml

Expected outcome:

HTML/JSON/CSV reports are generated in output directory.
Remediation scripts and review packs are generated for failing findings.

2) Review Pack Queue¶

python -m compliance_audit --remediation-list pending

Decision logic:

Approve if in scope and operationally safe.
Reject if out of policy, risky, or outside change window.

3) Approve or Reject Packs¶

Approve one:

python -m compliance_audit --remediation-approve <PACK_ID> --approver "john.doe" --ticket-id "CHG0012345"

Approve all pending:

python -m compliance_audit --remediation-approve-all --approver "john.doe" --ticket-id "CHG0012345"

Reject one:

python -m compliance_audit --remediation-reject <PACK_ID> --approver "john.doe" --reason "Out of approved change scope"

4) Preflight Before Apply (Recommended)¶

Single pack preflight:

python -m compliance_audit --remediation-apply <PACK_ID> --apply-dry-run

Bulk preflight:

python -m compliance_audit --remediation-apply-all --apply-dry-run

5) Apply Approved Packs¶

Apply one pack:

python -m compliance_audit --remediation-apply <PACK_ID>

Apply all approved packs:

python -m compliance_audit --remediation-apply-all

If high-risk packs are blocked and exception approval exists:

python -m compliance_audit --remediation-apply <PACK_ID> --allow-high-risk
python -m compliance_audit --remediation-apply-all --allow-high-risk

6) Post-Apply Verification¶

python -m compliance_audit --remediation-list applied
python -m compliance_audit --remediation-list failed
python -m compliance_audit -c compliance_audit/compliance_config.yaml

Safety Rules¶

Do not apply remediation outside authorized change windows.
Always run --apply-dry-run before production apply.
Do not approve packs without ticket and risk validation.
Treat --allow-high-risk as exception-only.
Prefer --remediation-apply-all only after queue review.

Troubleshooting Quick Table¶

Symptom	Likely Cause	Action
Remediation workflow disabled	`remediation.enabled: false`	Enable `audit_settings.remediation.enabled`
Execution disabled	`execution.enabled: false`	Enable `audit_settings.remediation.execution.enabled`
Approval expired	TTL elapsed	Re-run audit and approve new pack
Checksum mismatch	Script changed after approval	Re-run audit and approve fresh pack
High-risk blocked	Policy enforcement active	Use `--allow-high-risk` only with approval
Hostname mismatch	Device identity mismatch	Validate inventory and target prompt before apply

Fast Pass Criteria¶

All criteria should pass before closure:

No critical FAIL findings remain in changed scope.
No unexpected score regressions on unaffected devices.
Applied packs show successful status (or documented exception).
Change evidence package includes baseline and post-change reports.

Daily Operator Checklist¶

Run audit.
Review pending queue.
Approve or reject with ticket mapping.
Run apply preflight dry-run.
Apply approved pack(s).
Verify applied/failed status.
Re-run audit for closure evidence.