Monitoring BMC Cloud Lifecycle Management service compliance
Compliance and security checks are of prime importance to IT administrators when managing data centers. Security breaches take place because of insufficient security/compliance checks, which make the system vulnerable to outside attacks. BMC Cloud Lifecycle Management leverages BMC Server Automation, a leading solution for creating and managing compliance content and remediating violations. BMC Server Automation patches the vulnerable systems by applying security patches and normal updates. Compliance and overall security are often treated as day 2 operations after a server is provisioned. Use the BMC Cloud Lifecycle Management – My Cloud Services Console or End User Portal (EUP) to set compliance as a day 2 operation in a greenfield or brownfield environment. Use the BMC Cloud Lifecycle Management – Administration Console to set compliance by using the service blueprint.
See the following BMC Communities video series to learn more about configuring and enabling compliance in BMC Cloud Lifecycle Management:
- Overview of Compliance and setting up Compliance in Greenfield and Brownfield environment (part 1) (6:19) at https://youtu.be/DLVsXwU2xtk
- Configuring Compliance for Single and Multiple Servers (part 2) (5:07) at https://youtu.be/BCjPIvVkQIg
- Viewing the Activity logs and interpreting the Compliance result (part 3) (4.30) at https://youtu.be/192NwBZ4Mek
- Enabling server compliance in BMC Cloud Lifecycle Management using BMC BladeLogic Server Automation (5:36) at https://youtu.be/uyY0CQyv34c
This topic includes the following sections:
Overview of Compliance
- Health Insurance Portability and Accountability Act (HIPAA)
- Defense Information Systems Agency--Security Technical Implementation Guides (DISA STIG)
- Sarbanes-Oxley (SOX) Act
- Payment Card Industry (PCI) Data Security Standard (DSS) requirements developed by the PCI Security Standards Council
- Center for Internet Security (CIS) benchmarks
Results from analyses performed based on Compliance Content component templates can be used both to document the current situation and as a basis for bringing non-compliant servers into full compliance with the standard. Using BMC Server Automation Compliance Content, you can
- Discover relevant target servers and analyze those servers for compliance with major regulatory standards and best-practice policies
- Remediate compliance failures that were discovered by deploying BLPackages
- Generate reports with summaries of compliance details, similar to policy audit sheets
For a list of Compliance Content component templates, see Compliance Content component templates.
For more information about using Compliance Content add-ons to analyze and remediate compliance with standard policies, see Compliance Content analysis and remediation.
Notes
The pre-defined component templates provided in BMC Server Automation Compliance Content libraries reflect a generic interpretation of the compliance standards, and cannot take into account the specific situation within your organization. Therefore, certification cannot be assumed and is not implied based solely on successfully complying with the rules within these templates. Additional measures, such as manual compliance checks, may be required to achieve certification.
The Payment Card Industry (PCI) Data Security Standard templates are provided in two groups, one group of templates for PCI version 1 and one group for PCI version 2.
Warning
BMC Regulatory Compliance Templates (Policies) provided by BMC comes with remediation actions for many of the standard checks where rule check fails and corrective action may be necessary to get servers to desired state. It is recommended by BMC for customers to carefully review all the shipped remediation actions. BMC supplies Auto remediation flag and by default is set to false to ensure no changes on the managed servers are performed when certain compliance rules check fail. If auto remediation flag is set to true then BSA as part of remediation package deploy job will make changes to servers. It is the responsibility of customer to ensure and control remediation actions including auto remediation actions performed in their environment.
For an overview of compliance analysis and remediation, see Analyzing system compliance in the BMC Server Automation Documentation.
Supported platforms for compliance
The following table lists the platforms that support compliance:
Platform | Compliance Support | |
---|---|---|
Day 1 | Day 2 | |
VMware | Supported | Supported |
LPAR | Supported | Supported |
Hyper-V | Supported | Supported |
Bare Metal | Supported | Supported |
Physical Server | Supported | Supported |
Xen | Supported | Supported |
VM Onboarding | Not Supported | Supported |
AWS | Supported | |
vCloud Director | Not Supported | Not Supported |
OpenStack | ||
Azure | ||
NEW IN 4.6.06Azure Resource Manager | Supported | Supported |
Docker | Not Supported | Not Supported |
IBM Bluemix Infrastructure | Not Supported | Not Supported |
BMC Database Automation | Not Supported | Not Supported |
Cloud Foundry | Not Supported | Not Supported |
Note
Starting from 4.6.03 and later, compliance at service level is available for AWS, OpenStack, and Azure.
Setting up compliance in a Greenfield environment
By default, BMC Cloud Lifecycle Management supports HIPPA, PCI, SOX, DISA, CIS, and custom templates created by the BMC Server Automation administrator. To configure compliance in a new BMC Cloud Lifecycle installation, the cloud administrator must perform the following tasks:
- Locate and download the Compliance Module installer based on the platform (for example, BBSA 8.7.00 Server Automation for Windows[x64]) from the BMC EPD site http://usermanager.bmc.com/intepd after successfully installing BMC Server Automation.
The installer contains Compliance templates, which BMC releases periodically. - Unzip the downloaded file (for example, BBSA87-WIN64).
Double-click the executable file (for example, Content87-WIN.exe) and install the entire content or selected content based on your requirement.
For detailed information on BMC’s Compliance solution, see Installing Compliance Content add-ons and How to load Compliance Content in the BMC Server Automation online technical documentation.Note
If the cloud administrator uses domain-based user authentication instead of the standard BLAdmin user, the cloud administrator must ensure that the specified domain user has read, write, and execute permissions on BMC Server Automation objects.
- Restart the Platform Manager.
Compliance jobs are then created automatically. These jobs are visible as compliance standards in BMC Cloud Lifecycle Management. - (Optional) To enable compliance during provisioning, ensure that you select the Enable auto-discovery check box in BMC Server Automation for the specific compliance job that you selected when you set up the service blueprint.
Setting up compliance in a Brownfield environment
To configure compliance in BMC Cloud Lifecycle Management when a customer already has BMC Server Automation, with the compliance feature up and running, the cloud administrator must integrate the existing BMC Server Automation sever with the BMC Cloud Lifecycle Management environment by performing the following tasks:
- Use the BMC BladeLogic Server Automation Console to log in to the BMC Sever Automation application server.
- Navigate to a specific job (for example, CIS_Daily).
Set the CSM_OPS_DISCOVERABLE server property to true.
Note
CSM_OPS_DISCOVERABLE is added automatically in the BMC Sever Automation server under the Job Property class when BMC Cloud Lifecycle Management starts up and connects to BMC Sever Automation.
In other words, in a brownfield environment when you upgrade to BMC Cloud Lifecycle Management version 4.6, during startup, this property is created automatically.
The selected compliance jobs show as compliance standards in BMC Cloud Lifecycle Management in the next scheduled update.- (Optional) To enable compliance during provisioning, ensure that you select the Enable auto-discovery check box in BMC Server Automation for the specific compliance job that you selected when you set up the service blueprint.
Note
If you change the compliance content after the existing Compliance jobs are completed, the changed contents are not part of their respective templates and therefore, the BMC Server Automation administrator (BLAdmin) must manually add the new templates to the Compliance jobs and run the necessary Discovery jobs for the existing servers. The servers provisioned after adding the new templates are automatically discovered by using the new templates added to the respective jobs.
Configuring compliance for third-party providers
Setting up compliance for platforms such as Azure, Amazon Web Services (AWS), and OpenStack starting from version 4.6.03 and later is similar to that for BMC Server Automation, which is an on-premises provider. For details on how to set compliance, see Creating, copying, or editing a service blueprint and Configuring compliance for multiple servers.
Prerequisites
Before you enable compliance for third-party providers, ensure that the following prerequisites are met:
- RSCD agent is installed and running on the provisioned VM
- The provisioned VM is on a BMC Server Automation-accessible network so that the RSCD agent is accessible from BMC Server Automation when the Compliance Job is executed.
Note
The Compliance Job status does not show up in BMC Server Automation because the Compliance Jobs are queued up for execution. By design, Azure instance endpoints for RSCD cannot be opened simultaneously. The CloudService port forwarding logic opens up only one VM port at a time. As a workaround, you can use a VPN. In the Compliance Job, you can configure a start hook and an end hook where the port can be opened and closed respectively.
Configuring compliance for a single server
If compliance is not configured at service definition time or compliance needs to be changed post provisioning, the cloud administrator can configure compliance using the My Cloud Services console or End User Portal (EUP).
Perform the following steps if you want to specify a compliance standard for a single server:
- Navigate to My Cloud Services console > My Resources tab > Resource list.
- Click the hyperlink for the specific server as shown in the following figure:
On the Server details page, click Configure Compliance as shown in the following figure:
Note
You can also perform steps 2 and 3 by selecting the check box to the left of the specific server, and then from the Actions section, selecting Configure Compliance. Note that the Actions section appears on specific column values depending on the context.
On the Configure Compliance dialog box, in the Search Compliance Jobs field, specify a compliance job that must be run.
Note
By default, compliance jobs are scheduled Daily, Weekly, or Monthly. Compliance is designed to be executed in compliance windows set by the BMC Sever Automation administrator. Compliance jobs are executed on schedules set by the BMC Sever Automation administrator.
To schedule compliance jobs, the BMC Sever Automation administrator must perform the following tasks:
- Use the BMC BladeLogic Server Automation Console to log in to the BMC Sever Automation application server.
- Navigate to a specific job (for example, DISA_Weekly).
- Double-click the selected job and go to Schedule.
- Edit the existing schedule to set a value based on the organization's compliance window.
For details about setting compliance schedules in BMC Server Automation, see Compliance Job - Scheduling.
Click OK.
Once compliance is configured, the compliance of your servers is displayed as shown in the following figure:(Optional) Modify exiting compliance or add new compliance by clicking Add/Remove Jobs.
Note
On the My Cloud Services console > My Resources tab > Compliance pane, the details for a selected server show only the last job run even if that server has multiple compliance jobs associated. For example, if the server has three jobs, the Compliance pane does not show the details for all the three jobs. It shows only one jobs' last run status details.
(Optional) Clear the selected compliance standards from a server to remove any associated compliance.
Note
If PCI compliance is set for a server, the discovery job creates a compliance component under the PCI template. However, if you change the compliance to DISA, a new component is created for this server under DISA, but the PCI component is not deleted.The earlier component (PCI) is harmless and remains in BMC Server Automation until the server is decommissioned.
Therefore, when the compliance standard for the server is changed, you must manually delete the discovery signature from BMC Server Automation.
Configuring compliance for multiple servers
The cloud administrator must select multiple servers to perform the following actions:
Adding the same compliance standard to several servers at a time
The cloud administrator must perform the following steps to specify the same compliance standard for several servers at a time:
- Navigate to My Cloud Services console > My Resources tab > Resource list.
Select one or more check boxes to the left of the servers list.
- Click the Actions menu.
The Actions menu appears on specific column values depending on the context. - Select Configure Compliance from the menu.
- On the Configure Compliance dialog box, in the Search Compliance Jobs field, specify a compliance job that must be run.
- Click OK.
Changing the existing compliance standard on several servers at a time
The cloud administrator must perform the following steps to modify the compliance standard for several servers at a time:
- Navigate to My Cloud Services console > My Resources tab > Resource list.
Select one or more check boxes to the left of the servers list.
- Click the Actions menu.
The Actions menu appears on specific column values depending on the context. - Select Configure Compliance from the menu.
- On the Configure Compliance dialog box, under the Search Compliance Jobs field, clear the check box for the existing compliance job or specify an additional compliance job.
In the following example, the same compliance jobs, PCI_Daily and HIPPA_Daily exist on all the selected servers:
In the following example, different compliance jobs, PCI_Daily and SOX_Daily exist on the selected servers: - Click OK.
Viewing the Activity Log when compliance is configured
After compliance is configured, cloud administrators can navigate to Cloud Services console > My Resources tab > Activity Log to view the progress or check if any failures have occurred during the process.
The following figure shows the Activity Log as soon as compliance is set:
The following figure shows the Activity Log when compliance configuration is in progress:
The following figure shows the Activity Log when compliance configuration is completed:
The following table lists the various activities that take place when you configure compliance for two servers shown in the preceding figure:
Activity | Description |
---|---|
Server - Server Activity | Main job triggered to configure compliance on both the servers |
Server - byqcert-1 | Compliance configuration job on the first server |
Server - sant -1 | Compliance configuration job on the second server |
Service - Windows 2008 with Custom Inputs -1 | Service affected owing to compliance configuration job on the first server |
Service - SantoshKamble - 1 | Service affected owing to compliance configuration job on the second server |
Interpreting the compliance result
Cloud administrators, tenant administrators, or end users can view the compliance results displayed for each server as well as service. Compliance for a Server is a direct reflection of results fetched from BMC Server Automation. The compliance percentage for a server is calculated as the total number of successful rules/total rules.
For example, consider that a server has PCI and CIS configured with each having 100 rules. After both the PCI and CIS jobs run complete, let’s say that the total number of successful rules are 85 and 91 respectively. Then, the compliance percentage for the server is calculated as 176/200 = 88.00%.
In the case of a Service, the lowest compliance percentage attained by the server is displayed.
Icons in the COMPLIANCE RESULT column indicate the overall compliance for the servers on which compliance is configured.
- A green check mark indicates that the server is COMPLIANT.
- An orange check mark indicates that the server is COMPLIANT_WITH_FAILURES. You should monitor those failures and consider improvements to improve the overall compliance health.
- A red check mark indicates that the server is NON_COMPLIANT.
- A grey check mark indicates that the server compliance is UNKNOWN. BMC Cloud Lifecycle Management cannot determine the compliance for that server because the compliance job fails or has not yet run.
Interpreting the Server Compliance state (Server COMPLIANCE RESULT column in the EUP)
- If all the jobs are in NOT_RUN state (-), the Server state will be NOT_RUN (-).
- If one of the jobs is in COMPLIANT state and all the remaining are in NOT_RUN state, the Server state will be COMPLIANT.
- If one of the jobs is in NON-COMPLIANT state, the Server state will be NON-COMPLIANT irrespective of other job states.
- If one of the jobs is in UNKNOWN state, the Server state will be UNKNOWN.
Interpreting the Service Compliance state (Service COMPLIANCE RESULT column in the EUP)
- If all the servers are in NOT_RUN state, the Service state will be NOT_RUN.
- If one of the servers' state is COMPLIANT and all the remaining are in NOT_RUN state, the Service state will be COMPLIANT.
- If one of the servers' state is in NON-COMPLIANT state, the Service state will be NON-COMPLIANT irrespective of other server states.
- If one of the servers' state is UN KNOWN, the Service state will be UNKNOWN.
Interpreting the Server/Service Job state (COMPLIANCE JOB STATUS column in the EUP)
- If all the jobs are in COMPLETED state, the COMPLIANCE JOB STATUS will be COMPLETED.
- If one of the jobs is in NOT_RUN state and all the remaining are in COMPLETED state, the COMPLIANCE JOB STATUS will be CONFIGURED_NOT_RUN.
- If one of the jobs is in FAILED state, the COMPLIANCE JOB STATUS will be FAILED irrespective of other server states.
Notes
The compliance result is computed by the number of rules that succeed and not by individual rules. Therefore, if a user has added the same rule multiple times in different qualify jobs, the compliance result will show collective rule failure.
When a compliance standards is associated to a server, two automated task are performed.
- Adding the server to the specified smart group designed for the Compliance job
- Running an internal Discovery job, which qualifies the server for a specific compliance template. If a failure occurs in the Discovery job, the compliance result for the server is not computed. The BMC Server Automation administrator must correct the anomalies, which are generally due to a mismatch such as a Windows 2008 template being validated for a server running Windows 2012 R2.
Customizing configuration for compliance
The cloud administrator can set the compliance results interval and compliance threshold percentages by updating the following properties in the providers.json file.
- BBSA_OPS_COMPLIANCE_RESULT_FETCH_INTERVAL: Specifies the interval in minutes after which the Platform Manager checks with BMC Server Automation for compliance results from the Compliance Jobs.
- COMPLIANCE_PERCENTAGE_THRESHOLD_MAX: Specifies the compliance limit in terms of percentage. Percentage values equal to and greater than this specified value are considered to be COMPLIANT.
COMPLIANCE_PERCENTAGE_THRESHOLD_MIN: Specifies the compliance limit in terms of percentage.
Percentage values equal to and greater than this specified value but less than COMPLIANCE_PERCENTAGE_THRESHOLD_MAX are considered to be COMPLIANT_WITH_FAILURES.
Percentage values less than this specified value are considered to be NON_COMPLIANT.
The following figure shows compliance thresholds pictorially:
Decommisioning compliance
The cloud administrator must perform the following steps to decommission the compliance jobs for several servers at a time:
- Navigate to My Cloud Services console > My Resources tab > Resource list.
Select one or more check boxes to the left of the servers list.
- Click the Actions menu.
The Actions menu appears on specific column values depending on the context. - Select Configure Compliance from the menu.
- On the Configure Compliance dialog box, under the Search Compliance Jobs field, clear the check box for the existing compliance jobs.
- Click OK.
Comments
Log in or register to comment.