Example procedure for creating a Compliance Job
Use the following procedure to create a Compliance Job in the BMC Server Automation Console.
Before you begin, ensure that you have already run a Component Discovery Job to discover components based on the relevant component templates. Alternatively, you can authorize your Compliance Job to perform automatic component discovery, that is, to generate components automatically just before analyzing the compliance of these components.
- From the Folders view in the console, navigate to the folder in which you want to store the new job (for example, Jobs > yourRole > Workspace).
- Right-click the folder and select New > Compliance Job.
The New Compliance Job wizard appears.
On the General panel of the wizard, complete each field, and then click Next.
- Assign a meaningful name to the job (such as CIS Compliance).
- In the Description field, optionally enter a description of the job function.
- Choose where to save the job (by default, the folder from where you created the job).
- Optionally, set the Number of Targets to Process in Parallel.
- To set the Job to continue despite compliance and data collection errors, under Options, click the first check box.
If you want the Compliance Job to discover components automatically before analyzing their compliance (so that you do not need to run a Component Discovery Job beforehand), select the Run auto-discovery check box.
On the Component Templates for Filtering panel, navigate to and select the component template against which you want to analyze servers. Then use the arrow button to move your selection to the list of selected templates. Click Next.
For the template to appear on this panel, Compliance operations must be enabled for the template. If the template does not appear, open the template and select the Compliance check box on the General tab. For remediation settings to be enabled (in a subsequent step), select also the Allow Remediation and (optionally) the Allow Auto-Remediation check boxes.
- On the Components panel, use the arrows to select components to be analyzed. You can select a server or server group to include all components that are discovered on the server or servers, and then click Next. Even if you chose auto-discovery in step 3, you can still use this panel to add existing components or filter components that will be discovered.
In the following sample figure, the Available Servers smart group is selected.
- On the Auto-Remediation panel, indicate your Auto-Remediation settings, and click Next.
- To set automatic remediation to begin after the job runs, select Remediate after compliance analysis completes.
- In the Remediation name field, enter a name for the remediation package.
- In the Save package in field, select a folder in which to save the remediation package (provided that you already associated a remediation package with the relevant rule, within rule definitions).
- In the Save remediation/deploy job in field, select a folder in which to save the Deploy Job for the remediation package.
- To set the remediation package to include duplicate property names for individual compliance rules that have failed, select the Keep each local property name unique in remediation package check box. If selected, each property name is indexed so that all references to a particular property are retained, and the default value for each property is also retained. If you clear this option, property names are left untouched, but the default value assigned to the property becomes the value of the property for the first failed compliance rule that is merged into the remediation package.
- To deploy remediation packages to servers rather than deploying them to the target components of a Compliance Job, select the Use servers as remediation target check box. If you clear this check box, the target components from the Compliance Job are used as the targets for the remediation job.
- On the Default Notifications panel, indicate your Job Run Notifications settings and Compliance Results Notifications settings. Click Next.
- On the Schedules panel, indicate whether or not you want to execute the job immediately. In addition, to schedule job runs for a future time, click the green + (plus) icon to open the scheduler.
- On the Scheduled Job Notifications tab, you can configure special notification settings for individual schedules (instead of the general job notifications that you set in the previous step).
- Click Next to step through the remaining panels (Properties and Permissions). Click Finish.