Remediating violations

BMC Helix Cloud Security enables you to remediate violations to associated polices.  When you onboard and configure a connector, you onboard the compliance policies for the connector. When that connector begins running, remediation content packs are onboarded, which contain out-of-the-box remediation actions that you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy. Once a rule is evaluated as non-compliant, you can trigger an action on the connector to fix the violation. During the next evaluation cycle the resource becomes compliant.

Remediation actions are available and supported for the AWS policies detailed in System requirements.

You can initiate remediation in BMC Helix Cloud Security by performing the following tasks:

Associating a remediation action with a rule

  1. Select Manage > Policies.
  2. From the list of displayed policies that have been imported, click a policy to view the rules that apply to that policy.

    The policy details are displayed, showing all the rules assigned to the selected policy, the severity, and the number of configured actions that are available.
  3. Select a rule to enable the Actions menu for that rule.

    Note

    Actions for the rules of a policy are disabled by default when the content is onboarded.
  4. Remediation can be enabled or disabled under Actions on the Policy Details page.

    • To enable remediation, click on Actions and then choose the type of remediation preferred from the following two types:
      1. Auto Remediation: Remediation action takes place automatically if the selected the rule name has been violated.
      2. On-Demand Remediation: Remediation action takes place according to user discretion if the selected the rule name has been violated.
    • To disable remediation, click on Actions and then choose Disable Remediation option from the cascading menu.


    A message is displayed indicating that the policy action mapping has been successfully enabled.

    Note

    The connector must be running for the remediation action to be successful.

Remediating the compliance violation

  1. Click Violations on the top navigational bar.

    You can filter the display using the menus in the filter bar, as well as click on any of the column headings to sort the display.

  2. Click the rule within the policy that was previously mapped to the remediation action. The resources associated with the specific rule violation are displayed on the Violation Details page.

    Information on the policy name, connector name and reference ID is displayed along with an option to choose the type of remediation for the listed resources under Remediation.

  3. Select the checkbox to the left of the resource you want to remediate. You can select more than one resource.
  4. Click Remediation Actions. (This button is enabled only after you have selected a resource and if content is available for that resource.)

  5. From the Violations widget on the Dashboard, click the section of the widget to view the rules in the policy and locate the rule selected previously.
    The rule is remediated after the next collection cycle. You might have to refresh your browser to see the change in status.

Remediation trigger for the listed resources can be enabled and set to either Auto or On Demand under Remediation. It can be disabled for selected resources by clicking on Disabled under Remediation.

Editing the remediation action

  1. Go to Manage > Policies and click on required policy from the Policy column. This will give the list of rules associated with the selected policy under the Policy Details page.
  2. From the Actions column in the Rule Name row, click on Add under the Actions column.
  3. On the Remediation tab, click Edit.

  4. Complete the following fields:

    DescriptionType a description for the rule (for example, Ensure CloudTrail log file validation is enabled).
    ConnectorChoose the connector instance associated with this remediation action from the menu, if applicable.
    Content TypeChoose the content type for this remediation action from the menu (for example, AWS CIS CloudTrails Remediation_1.0.0).
    Action TypeChoose the type of this remediation action from the menu.
    Action NameDisplays the name of this remediation action.
    ActionSelect the required status of the configured remediation action (AUTO, On Demand or DISABLED).
    ParametersSet the following parameters for this remediation action:
    Key (Required): Choose the parameter key (module, function, parameter, value) from the menu.
    Value (Required): The value that represents the pattern of the parameter. This value varies based on the key selected. For example, for a parameter key backupRetentionPeriod, the corresponding value will be a number between 0 and 35. For a parameter key of applyImmediately, the corresponding value will be true or false.
    Source: Choose the source of the parameter (IMPLICIT, CONNECTOR, RESULT, OTHER) from the menu.
    Type: Choose the type of the parameter (STRING, NUMBER, BOOL, OBJECT) from the menu.
    Description: The description of the parameter. You can set this parameter value to a number between 1 and 35.

    IMPORTANT: Hover over the Description field to view requirements specific to the description values for the corresponding parameter key and value. For example, for a backupRetentionPeriod key, the corresponding description must be 0-35; however, changing the value from 0 to a non-zero value or from a non-zero value to 0 might result in an outage because this value controls the number of days to retain automated backups.

     

  5. (Optional): Perform one of the following steps to modify the parameters for the remediation action:
    1. To add parameters, click Add Parameters at the bottom of the parameter block and specify the values that are described for the Parameter field in Step 3 (Key is required).
    2. To delete a parameter, click the red "x" icon to the right of the Key parameter in the parameter block
  6.  (Optional): Perform one of the following steps to modify the remediation action:
    1. To add a remediation action, click Add an action at the top of the remediation tab and specify the values that are described for the fields in Step 4.
    2.  To delete a remediation action, click the trash can icon to the right of the action and then click Yes, delete action to confirm.  
  7.  Click Save to save the changes to the remediation action. 

Performing next steps

For more information about policies, see Managing policies.

To practice performing a remediation by following an actual use case, see Walkthrough: Remediating an AWS compliance violation.

Was this page helpful? Yes No Submitting... Thank you

Comments