Analyzing system compliance
The Compliance module of BMC Server Automation enables you to analyze your servers and measure their compliance with corporate policies or industry standards. This topic describes the typical tasks that you perform while analyzing compliance through BMC Server Automation.
Using the Compliance module, you can scan any number of server configurations across multiple data centers for adherence to the relevant policies or sets of compliance rules.
Overview of compliance analysis and remediation
Compliance analysis and remediation are performed based on two types of BMC Server Automation objects: components and component templates.
Components — Encapsulate portions of server configuration, enabling simple yet powerful Compliance Jobs.
Component templates — Contain relevant compliance rules that you want your servers to adhere to. For component templates, you can either:
- Create your own component templates to contain the compliance rules for your internal corporate policies. This is a common course of action when analyzing operational compliance, which involves tracking the properties of operating system objects (such as files, configurations, user accounts, or services).
- Use the prebuilt component templates offered by BMC Software to analyze regulatory compliance or security compliance. Such templates can facilitate compliance analysis when you need to adhere to industry-defined compliance policies (such as CIS, DISA, HIPAA, PCI, or SOX).
BMC Server Automation offers an additional type of compliance analysis based on Security Content Automation Protocol (SCAP) benchmark content. SCAP benchmark content is stored as sets of XML files in the depot and a special SCAP Compliance Job is available for analyzing adherence to SCAP benchmark rules. For more information, see SCAP compliance analysis and Creating and modifying SCAP Compliance Jobs.
Flowchart for a typical compliance analysis
The flowchart in the following figure illustrates the main stages and tasks that you encounter during a typical compliance analysis work flow. Click the thumbnail below for a full-size image.
Overview of a typical compliance analysis
The following procedure outlines the tasks in a typical compliance analysis. Click Read more for more information about each compliance analysis task, as well as references to details in BMC Server Automation documents.
Determine the content to be analyzed and define a compliant environment — Before you start preparing or choosing a component template for compliance analysis, you must spend some time on planning, so that the template that you use suits your compliance needs.Read more.
- What conditions must your environment fulfill to be considered compliant ?
- What objects in your environment require testing for adherence with the compliance policy? Which system objects, configuration files, and file entries (for example) do you wish to run compliance checks against?
- Do you need help with testing for regulatory compliance? Does BMC offer a prebuilt component template for the required industry-standard compliance policy?
Install the regulatory compliance content provided by BMC and identify the appropriate template — BMC has developed a set of add-on Compliance Content libraries that you can install together with BMC Server Automation.Read more.
Prebuilt component templates are available for automation of the analysis of regulatory compliance with the following industry-standard policies:
- Health Insurance Portability and Accountability Act (HIPAA)
- Defense Information Systems Agency — Security Technical Implementation Guides (DISA STIG)
- Sarbanes-Oxley (SOX) Act
- Security Content Automation Protocol (SCAP) requirements developed by the National Institute of Standards and Technology (NIST) and Payment Card Industry Data Security Standard (PCI DSS) requirements developed by the PCI Security Standards Council
Create or select the component template — Often, your compliance analyses must reflect the unique operational compliance needs of your company or organization, and you must create your own templates that contain custom compliance rules.Read more.
During the creation and editing of a template, you:
- Select the template parts, which are the server objects that make up the component template.
- Define a discovery signature, which contains the minimum conditions to satisfy for a component to be associated with a server (for example, only servers that contain a particular configuration file or service).
You can test your signature against live servers while creating and perfecting it, even before you run a Discovery Job against it. For information about these procedures, see Creating a component template and Editing a component template.
Run a Component Discovery Job to discover components and create a group for organizing target components — The Component Discovery Job associates components with servers that satisfy the discovery signature defined within the component template. The components that are discovered by the Component Discovery Job serve as targets for Compliance Jobs.This task is optional. You can authorize any subsequent Compliance Job to perform an automatic component discovery, which will generate components just before analyzing their compliance.Read more.
In fact, in preparation for the Compliance Job, you might find it useful to create a component group (either a static group or a smart group) that contains all of the discovered components that are relevant to the Compliance Job.
For information about creating and running Component Discovery Jobs, see Creating and modifying Component Discovery Jobs.
- Define or edit compliance rules in the template and test your rules — Ensure that the component template that you plan to use contains the compliance rules that must be satisfied for a server to be considered compliant.
If you are using:
- A prebuilt template provided by BMC Software, review the rules within the template and decide whether or not a need exists for refining and fine-tuning the existing set of rules (typically by deleting certain rules and modifying others).
Your own template, you must author your own rule or set of rules. For certain rules, you might want to include remediation options, which specify the action that should be taken if a component does not comply with a compliance rule, and associate a remediation package for correcting the problem.Read more.
While you author or edit a rule, you can test the rule against discovered components. This enables you to validate and perfect your rules within the compliance rule editor, without the need to save the template or run a Compliance Job. For more information, see Compliance tab for a component template. Additional information for prebuilt templates appears in Modifying out-of-the-box component templates.
Run a Compliance Job against components — The Compliance Job determines whether or not a component satisfies its compliance rules. The Compliance Job examines the component's compliance parts and compares them to the part and property conditions defined within the component template's compliance rules.Read more.
If a rule is not met and remediation is enabled, you can correct the compliance failure by deploying a remediation package to servers, assuming that a BLPackage is specified as part of the compliance rules. In fact, you can grant the Compliance Job the authorization to automatically perform this remediation. However, you usually first review the results of the Compliance Job and manually select the compliance rule failures that require remediation.
For more information about creating and running Compliance Jobs, see Creating and modifying Compliance Jobs.
Review compliance results and set exceptions — Before you perform remediation on compliance failures, review the results of your Compliance Job for details about the components on each server that satisfied or failed to satisfy each of the defined compliance rules.Read more.
In some situations, you can set certain components as exceptions to particular compliance rules. For example, you might want to allow the responsible user time to resolve a problem before initiating remediation through BMC Server Automation.
For more information about viewing Compliance Job results and instructions on how to set exceptions for components, see Compliance results.
Perform remediation — Remediation of a compliance failure involves the deployment of a remediation package to the servers on which compliance rules failed.Read more.
To begin the remediation process, you must:
- Create a remediation package, or review and edit an existing remediation package. The remediation package contains the BLPackages associated with the relevant rules through their remediation options.
- Use a Deploy Job to deploy the remediation package to the servers. Before making any changes to target servers, you can set the Deploy Job to run a Simulate phase and perform a dry run of the deployment of the remediation package.
You can initiate remediation in several different ways, or even request automatic remediation by the Compliance Job.
For more information about remediation, see:
Generate reports — Through the BMC BladeLogic Decision Support for Server Automation application, you can generate web-based reports that summarize compliance data derived over time from Compliance Jobs run in BMC Server Automation. Several built-in Compliance reports are offered by BMC BladeLogic Decision Support for Server Automation. Additional reports are available specifically for the Compliance Content component templates for industry-standard policies.Read more.
For instructions on generating and using reports, see Creating ad hoc reports in the BMC Decision Support for Server Automation documentation. For built-in Compliance reports, see Built-in Compliance reports.
For descriptions of the reports for the Compliance Content templates for industry-standard policies, see Generating reports for compliance policies.
The Application Server and Console can be located in different time zones and the Console displays the local time, causing a difference in time.
To install compliance content (video)
At a high level, you must obtain the compliance content installer (the file name is usually something like Content-Install-Windows.exe or Content-Install-Linux.bin) from the BMC Electronic Product Distribution site (EPD). Make sure you get the Content Installer from the same major version as your installed product (for example, 8.6).
Once you have the installer, it is easiest to run it from an Application Server as a local Administrator or root. You must have access to a role and user with permissions to create extended objects, files on the file server, a top-level component template group, and component templates. If you are using UNIX, you may need access to an X Window display. This can be remotely displayed through a variety of methods.
- Run the Content Installer executable
- Provide a temporary directory for the Content Installer executable to write to
- Provide credentials (user, role, and password)
- Specify whether you are using a multi-Application Server (MAS) environment. The content installer runs for quite some time, but you can either monitor a log file whose location will be provided by the installer or watch the component templates node to see the templates being created.
The following video provides a quick demonstration of installing compliance content.
Check the content.version file, which is created under the ../fileserver/Content folder.
The content of the content.version file looks like this:
To run a compliance audit (video)
The following video provides a quick demonstration of how to run a basic policy-based compliance audit.