Using component templates to ensure compliance for multiple instances of an application

A BMC Server Automation system offers many tools for ensuring compliance with organizational standards for application configurations.

This topic provides an example that demonstrates how these tools, when used together, can monitor and enforce compliance for multiple instances of the same application running on the same server.

In this example, suppose you are running multiple instances of an Oracle database on the same server, and you want to ensure that none of these instances are communicating over the standard Oracle port, 1521. Using the standard Oracle port makes it easier to gain unauthorized access to the database.

For the purposes of this example, two Oracle 10g instances are installed in the D:\oracle1 and D:\oracle2 directories.

The following procedure is a generalized description. Each step describes a BMC Server Automation procedure you can perform. Most steps include a reference to more detailed information about that procedure.

To ensure compliance for multiple instances of an application

1. Create a component template that encapsulates Oracle compliance and focuses on port configurations. Name the template as "Oracle Security." After using the component template to create an empty template, edit the template by doing the following:
   1. In the component template definition, create a local property that can be used to define the path to the two Oracle instances. The property should be called ORACLE_PATH.
   2. Create two property instances. For one, define the ORACLE_PATH property to equal oracle1. For the other, define the ORACLE_PATH property to equal oracle2.
      For more information about local properties and property instances, see Local properties for a component template.
   3. Create a local configuration file for the listener.ora file. The path to listener.ora should include the local property you defined in the previous step, as follows:
      /d/??ORACLE_PATH??/product/10.1.0/Client_1/network/ADMIN/listener.ora
      For more information about local configuration files, see Local Configuration Objects tab for a component template.
   4. Add the listener.ora configuration file to the component template as a part. Use the following path to identify the component template part:
      /d/??ORACLE_PATH??/product/10.1.0/Client_1/network/ADMIN/listener.ora
      For more information about component template parts, see Parts tab for a component template.
   5. Create a signature for the component template. The only requirement for the signature is that the listener.ora file must exist.
      For more information about creating signatures, see Discover tab for a component template.
   6. Save the component template.
2. Using the "Oracle Security" component template, run a Component Discovery Job on the server where the two instances of Oracle are installed. Using the criteria in the component template, the job should discover two components that match the signature.
   For more information about Component Discovery Jobs, see Creating and modifying Component Discovery Jobs.
3. Create a BLPackage called "Oracle_port" that contains a version of the listener.ora configuration file that has the correct port — that is, some port other than 1521. To accomplish this, do the following:
   1. Identify a version of the listener.ora configuration file that contains the appropriate listening port. This port can be anything other than port 1521.
   2. Add this version of the listener.ora configuration file to the Depot as a BLPackage.
   3. Open the BLPackage for editing.
   4. Create a local property for the BLPackage called ORACLE_PATH.
   5. Save the BLPackage.  
      For more information about creating BLPackages, see Adding a BLPackage to the Depot.
4. Open the "Oracle Security" component template and create a compliance rule called "Allowed Oracle Ports" by doing the following:
   1. Provide a definition for the compliance rule, as follows:
      A Configuration Entry using the /d/??ORACLE_PATH??/product/10.1.0/network/ADMIN/listener.ora//**/DESCRIPTION/ADDRESS/PORT path must exist, and Value1 (the first entry in the configuration file) cannot equal 1521.
      For more information about creating compliance rules, see Compliance tab for a component template.
   2. For remediation, select the "Oracle_port" BLPackage, created in 3.
   3. Define a value for the ORACLE_PATH local property of the BLPackage. Set the value to
      ??ORACLE_PATH??, which is the local property you created for the "Oracle Security" component template.
   4. Save the component template.
5. Create a Compliance Job that uses the "Oracle Security" component template. Run the Compliance Job against the two components you discovered in 2.
   Because you mapped the ORACLE_PATH local property for the BLPackage to the ??ORACLE_PATH?? parameter for the component template, the Compliance Job can iterate through all property instances defined for the "Oracle Security" template and prepare a remediation package for each instance that does not satisfy the compliance rule.
   For more information about running Compliance Jobs, see Creating Compliance Jobs.
6. Using the results of the Compliance Job, correct any discrepancies you have identified in the listener.ora file by remediating the "Allowed Oracle Ports" compliance rule. This action deploys the "Oracle_port" configuration file so that the existing file is replaced with the approved version.
   For more information about remediating the results of Compliance Jobs, see Manually remediating compliance results.
   Note that you can also define the component template, the compliance rule, and the Compliance Job so that any compliance rule failures are automatically remediated. In this case, after running the Compliance Job, no user intervention is required.