Remediating compliance results

After running a Compliance Job based on one of the Compliance Content component templates, you can access job results and manually remediate the configuration of components that failed the Compliance Job. The remediation process runs a Deploy Job and deploys one of the BLPackages provided in the Compliance Content libraries, as specified in the remediation options of a specific compliance rule.

After performing remediation, you can still change your mind and undo the remediation.

Before you begin

• As of Service Pack 3 for BMC Server Automation 8.2, remediation for the CIS - Windows Server 2008 template and the PCIv2 - Windows Server 2008 template is provided for both Member Servers and Domain Controller servers. For Domain Controller servers, remediation is provided on Default Domain Controller Security Policy and/or Default Domain Security Policy, as per the settings you have specified for the REMEDIATE_SETTING_FOR_GPO template property. 
  
  Before performing the remediation operation, you must ensure that you have set appropriate values for the following properties:

  Property	Description
  REMEDIATE_SETTING_FOR_GPO	Use this template property to specify the GPO Policy to be remediated. The default is Default Domain Controller Security Policy and Default Domain Security Policy. If necessary, you can set the value to only one of the two policies (either Default Domain Controller Security Policy or Default Domain Security Policy).
  DOMAIN	Use this server property to specify the type of server on which to remediate — either DC (Domain Controller) or MS (Member Server).

  
  In addition, ensure that you have set appropriate values for the following properties in the Server built-in property class. For more information, see CIS properties in the Server built-in property class or PCIv2 properties in the Server built-in property class.

  • IS_DOMAIN_CONTROLLER
  • IS_SSLF

  • PCI Properties or CIS Properties

    Note

    Remediation of audit rules for the CIS - Windows Server 2008 template and the PCIv2 - Windows Server 2008 template is not supported on Windows 2008 R2 target servers. 

• Remediation for any policy on Windows or Linux computers fails if any built-in users or groups that are referred to in rules in the component template are renamed or deleted. You must modify or delete the offending user names or group names within the rules and remediation packages in the component template before you can successfully perform remediation.
• Remediation and undo of audit rules for the CIS - RedHat Linux 5 and PCIv2 - RedHat Linux 5 templates will not take effect if the /etc/audit/audit.rules file contains the -e 2 entry. You must manually remove the entry and restart the target server.
• In the component templates for any policy on a Windows operating system, rules for security settings are designed to check both the local settings and the effective settings. However, on a Member Server only the local settings are modified during remediation, because effective settings are pushed only from the domain controller. As a result, rules for user rights and security settings on a Member Server will show as non-compliant even after running a remediation job if effective settings, which reflect the Group Policy Objects (GPOs), are not in line with the compliance policy design. In such a case, consult your local system administrator to bring the Group Policy in line with the BMC Server Automation Compliance Policy.

To begin the remediation process

1. Navigate to the relevant Compliance Job, right-click it, and select Show Results.
2. In the content editor, expand a particular run of the Compliance Job.
3. Under the Rules View node, navigate to the relevant component template, rule group, or single compliance rule, right click it, and select Remediate.

For full instructions, see Manually remediating compliance results.