Walkthrough: Creating remediation objects for a compliance template

This topic walks you through the process of using BMC BladeLogic Server Automation (BSA) to create a remediation object that can be deployed to servers that fail a Compliance Job. Deploying the remediation object can make the failed server compliant. This topic includes the following sections:

Introduction

This topic is intended for system administrators and compliance officers who are responsible for ensuring that server configurations adhere to industry and organizational standards.

The goal of this topic is to demonstrate how to create a remediation object that can be attached to a component template. When a target server fails a Compliance Job based on that component template, the remediation object can be deployed to the target to make the server compliant.

This walkthrough continues the process of creating a compliance template, described in a separate walkthrough on creating compliance rules.

What does this walkthrough show?

This walkthrough shows how to create a remediation object, which in this case is a simple BLPackage that consists of two security settings related to password handling. The BLPackage is associated with a component template. The template can be used as the basis of a Compliance Job that tests whether components on servers satisfy the two password rules. (For a description of how execute a Compliance Job, see Walkthrough: Compliance audit based on a policy.) If a target of the Compliance Job fails the compliance tests, you an deploy the remediation object so the target is made compliant.

What do I need to do before I get started?

You must create a component template that includes compliance rules, as described in Walkthrough: Creating a compliance template.

For this walkthrough, we have logged on as BLAdmin, the default superuser for BSA. In live deployments, BMC recommends that you grant access based on roles with a narrower set of permissions

How to create a remediation objects for a compliance template

	Step	Example screen
1	Using the Depot folder in BSA, navigate to a location where you want to create a BLPackage. Right-click and select New > BLPackage. A wizard opens that guides you through the process of creating a BLPackage.
2	On the General panel of the wizard, enter a name for the BLPackage. Under Create Package from, make sure that Live server objects is selected. Then click Next.
3	On the Select Server Objects panel, take the following steps: Click the Add icon . The Select Server Objects dialog opens. Navigate to the type of server for which you want to test compliance. In this case we select a server running Windows 2008. Expand the server to see all the server object types available on that machine. Expand Security Settings, expand Account Policies, and then expand Password Policy. Select Enforce password history and Maximum password age and move them to the Server Objects list at right. These parts correspond to the compliance rules already set up in the component template. Click OK. The parts you have selected appear in a list on the Select Server Objects panel of the wizard. Click Finish to save and close the BLPackage.	Selecting server objects Selected objects listed in the wizard
4	In the Depot folder, navigate to the BLPackage you just created, right-click it, and select Open. The BLPackage opens for editing. It consists of two security settings.
5	Edit the first setting. In the BLPackage, expand the first setting and select its contents, Enforce password history. The right pane shows attributes for the selected setting. In the right pane, for the Value row, double-click in the right-hand column. The value becomes editable. Replace 0 with 24 to match the compliance rule, which specifies that 24 passwords are remembered.
6	Edit the next setting. Expand the second setting and select its contents, Maximum password age. The right pane shows attributes for the selected setting. In the right pane, for the Value row, double-click in the right-hand column. The value becomes editable. Replace 42 days with 60 days to match the compliance rule, which specifies that passwords must be within 1 and 60 days old.
7	Close the BLPackage and open a component template. Close the tab for the BLPackage you are editing. When prompted, save your changes. Use the Component Templates folder to navigate to the compliance template for password policies developed in a separate walkthrough. Right-click the component template and and select Open. At the bottom of the tab, click the Compliance sub-tab. The Compliance panel opens. It shows the compliance rules that have been defined for the template.
8	Provide remediation information for each rule. In the rules pane at bottom, expand the Password Compliance rule group. Double-click the first rule, Maximum password age. A new tab opens that presents information about the rule. Click the Remediation sub-tab at bottom. Under Specify Remediation Action, click Deploy the following BLPackage and navigate to the BLPackage we created earlier in this walkthrough. Close the tab. Save when prompted. Double-click the second rule, Password History, and repeat the same three steps to add the same BLPackage as a remediation object for this rule. Close the component template. Save when prompted.	Contents of the rule group Remediation for a compliance rule

Wrapping it up

Congratulations. You have created a remediation object that can be attached to component template. When that template is used in a Compliance Job and the job detects targets that are not compliant, you can deploy the remediation object to change the target's configuration so it becomes compliant.

Where to go from here

See Walkthrough: Compliance audit based on a policy for a description of how to use a component template to run a Compliance Job.

The BSA documentation provides detailed instructions on setting up compliance rules in a compliance template.