Documenting Exceptions in BMC Server Automation
Originally contributed by Okey Mckown
- Discovery and Compliance have been run against the system.
- The user is familiar with viewing the results of compliance job runs through the GUI.
This page shows how to add exceptions from the Components section of the BMC Server Automation user interface. There are a number of advantages to using the Component view to handle system compliance and exceptions. Some of the advantages are:
A component/compliance template can be run from any job folder and the user can set the name of the template; however, no matter how many jobs are created to run discovery and compliance, only one component will be created.
If more than one component is associated with a target with the same name, this usually indicates that a template was copied, not renamed, and the copy also ran against the target. If you see this, it is advisable to delete the components, rename the copy of the template, and re-run discovery.
- The raw output of any configuration file, extended object, or BladeLogic internal object can be made available for browsing through the component browse functionality
- From the component browse screen, you can go to the compliance tab and find all compliance results for all templates that have been executed against it without having to know where the job is or what the job was named.
This procedure involves the following tasks:
To locate your components more efficiently, you can take advantage of Smart Groups.
In this example, we will browse to a component smart group created in a workspace that references all components of a compliance template called TESTING and open up a "table view" of the components within.
The advantage of using the table view is that it allows the user to highlight multiple components to add an exception to.
Browse components and determine exceptions
Right-click your component and select Browse.
Once in the live browse, you can then view the raw output of the objects used for rule evaluation.
Here we see that GEN001880 identified /home/test2/.bashrc.
Click on the Compliance tab to view the results of the compliance runs against this system associated with this template, find the most recent job run, open it, and browse to the rule you wish to create an exception for. In this example we have three items of interest.
- The message that indicates that the rule failed and there are already exceptions for this rule in this template but clearly none of them apply to this particular finding.
- The View Exceptions button if you have permissions to see exceptions.
- Most important, the path that you will need to know in order to create the exception.
In this example, we wish to exclude /home/test2/.bashrc.
The full path is "Extended Object Entry:GEN001880//\/home\/test2\/.bashrc".
In order to write an exception, three pieces of information are required.
- Method used to generate the result. As you will see later on, a pull-down select box of choices will be presented in the exception screen from which you choose that method. In this case it is Extended Object Entry.
- Name of the object that produced the result. In this case, we named it "GEN001880" after the GEN number for convenience and ease of use and accurate identification of the vulnerability that this exception was created for.
The final part is the part after the two forward slashes "//" and it reads "\/home\/test2\/.bashrc".
- Actual result.
Now that you have identified the method used to generate the results, the name of the object that generated the results, and the actual result, it is now time to add the exception.
Return to the table view, highlight one or more components, right-click, and select Exceptions.
You will then be presented with the exceptions dialog which displays the names of current exceptions, who created them, when they were created, and when they expire. Choose the green plus sign to add an exception.
Here the documentation of the exception is provided. In this example, it was described as a POAM and has an expiration date of 2011/02/08
Click the Associated Compliance Rules tab and then click the green plus icon at the top right to add a rule to this exception.
Find the rule(s), move it over to the right side, and click OK.
You will be returned to the previous dialog box and the rule will now be showing. Make sure that the rule that you wish to create an exception for is highlighted and then click the Edit icon at the top right that looks like a paper and pencil.
Now we are at the point where the three pieces of information gathered earlier will be needed. The three pieces of information were method (Extended Object Entry), object name (GEN001880), and the actual result (\/home\/test2\/.bashrc).
At this point you can continue to add other exceptions, making sure to preface the file with GEN001880// and using the backslash to escape the forward slashes in the unix file name.
The path takes wildcards. Use them according to the following guidelines:
- One asterisk, *, will except everything in the top-level path.
For example: GEN001880//\/home\/test2\/* will exempt /home/test2/badfile and /home/test2/badfile2 and /home/test2/baddirectory but will NOT except /home/test2/baddirectory/badfile3.
- If you use two asterisks, **, the exception will except everything in that path and recursively except everything under it.
For example, GEN001880//\/home\/test2\/** would effectively except test2 from this finding.
Once all the exceptions have been added, click OK until you return to the main BMC Server Automation screen and the compliance results and re-run the compliance job.
After the job runs you will see:
The rule shows compliant now. However, when you browse it you will still see it come up in the results. Assuming nothing else has turned up in the scan, you will see: