Remediating compliance results
After running a Compliance Job based on one of the Compliance Content component templates, you can access job results and manually remediate the configuration of components that failed the Compliance Job. The remediation process runs a Deploy Job and deploys one of the BLPackages provided in the Compliance Content libraries, as specified in the remediation options of a specific compliance rule.
After performing remediation, you can still change your mind and undo the remediation.
Before you begin
Remediation for the CIS, DISA, HIPAA, PCIv2, and PCIv3 templates for Windows is provided for both Member Servers and Domain Controller servers. For Domain Controller servers, remediation is provided on Default Domain Controller Security Policy and/or Default Domain Security Policy, as per the settings you have specified for the REMEDIATE_SETTING_FOR_GPO template property.
Before performing the remediation operation, you must ensure that you have set appropriate values for the following properties:
Use this template property to specify the GPO Policy to be remediated.
The default is Default Domain Controller Security Policy and Default Domain Security Policy. If necessary, you can set the value to only one of the two policies (either Default Domain Controller Security Policy or Default Domain Security Policy).
Use this server property to specify the type of server on which to remediate — either DC (Domain Controller) or MS (Member Server).
For remediation of a Domain Controller server for which the Default Domain Controller (DDC) policy or Default Domain (DD) policy settings are not configured and the Local Security Settings (LSS) settings are effective, set this property to MS even on Domain Controller servers.
In addition, ensure that the following properties in the Server built-in property class are set with appropriate values:
PCI Properties / CIS Properties / DISA Properties – pointing to the correct instance of the custom property class
- Remediation for any policy on Windows or Linux computers fails if any built-in users or groups that are referred to in rules in the component template are renamed or deleted. You must modify or delete the offending user names or group names within the rules and remediation packages in the component template before you can successfully perform remediation.
- Remediation and undo of audit rules for the CIS - RedHat Linux 5 and PCIv2 - RedHat Linux 5 templates will not take effect if the /etc/audit/audit.rules file contains the -e 2 entry. You must manually remove the entry and restart the target server.
- In the component templates for any policy on a Windows operating system, rules for security settings are designed to check both the local settings and the effective settings. However, on a Member Server only the local settings are modified during remediation, because effective settings are pushed only from the domain controller. As a result, rules for user rights and security settings on a Member Server will show as non-compliant even after running a remediation job if effective settings, which reflect the Group Policy Objects (GPOs), are not in line with the compliance policy design. In such a case, consult your local system administrator to bring the Group Policy in line with the BMC Server Automation Compliance Policy.
Although on a Member Server the User Rights Assignment and Security Options group of rules are designed to remediate only the local settings, the BMC Server Automation Console may display remediated values for both local and effective settings. Similarly, if you push a value from the domain controller, the BMC Server Automation Console may display that value for both local and effective settings. Consult your local system administrator to bring the Group Policy in line with the BMC Server Automation Compliance Policy.
To begin the remediation process
- Navigate to the relevant Compliance Job, right-click it, and select Show Results.
- In the content editor, expand a particular run of the Compliance Job.
- Under the Rules View node, navigate to the relevant component template, rule group, or single compliance rule, right click it, and select Remediate.
For full instructions, see Manually remediating compliance results.