Walkthrough: Compliance audit based on a policy
This topic walks you through the process of analyzing compliance on a server based on a standard policy. It includes the following sections:
The following video demonstrates the process of performing an audit based on a compliance policy.
This topic is intended for system administrators who are in charge of enforcing regulatory compliance in the data center.
There are two kinds of compliance: snapshot-based and policy-based. Snapshot-based compliance uses the configuration of a "golden" server that has exactly the configuration you need. Policy-based compliance works from a set of rules that can define a range of acceptable configurations. This walkthrough demonstrates policy-based compliance using a component template from the out-of-the-box Compliance Content libraries provided in BMC Server Automation (BSA).
What does this walkthrough show?
The goal for this topic is to audit a specific configuration item to ensure that it matches a standard configuration. This goal is accomplished through the following series of tasks:
This walkthrough guides you through the process of performing a policy-based compliance audit.
- Edit a rule within an out-of-the-box component template for a compliance policy
- Create a component for the customized component template and a single server
- Create and run a Compliance Job
- Examine job results
What do I need to do before I get started?
- To analyze policy-based compliance, you must first install compliance content, as described in Walkthrough: Loading compliance content. The out-of-the-box component templates in the BSA compliance content enable you to monitor regulatory and security requirements, including SOX, PCI, HIPAA, DISA and CIS. Typically, administrators use BSA compliance content as a starting point to produce their own customized policies. Furthermore, many policies include sample remediation instructions.
Before running a Compliance Job for the first time based on any of the out-of-the-box component templates from the compliance content, ensure that the values of policy-related properties are appropriate for your local environment. Review property values in the relevant local instances of the Server built-in property class, in the custom property classes for each type of policy, and also property values in the component template. If local values differ from the default values, tailor these property values to the unique needs of your local system. For further instructions, see Configuring properties for Compliance Content templates.
- For this walkthrough, we have logged on as BLAdmin, the default superuser for BSA. Note that in live deployments, BMC recommends that you grant access based on roles with a narrower set of permissions. Ensure that the role that you use has permission to write to the Component Templates and Depot folders and to create properties in component templates and depot files.
How to edit a rule within a Compliance Content component template
This section walks you through a simple example process of customizing a rule within an out-of-the-box component template for a compliance policy:
In the BMC Server Automation Console, browse to the Component Templates folder, open the DISA Compliance Content folder, and navigate to the component template called DISA - Windows Server 2003 DC.
Right-click the DISA - Windows Server 2003 DC template and select Open. In a pane at right, the component template definition opens.
Click the template's Compliance tab at the bottom of the pane.
The Compliance tab is displayed. The bottom of the tab shows compliance rules that have been defined for a collection of parts, shown in the top part of the tab.
In the rule list, scroll down and expand Maximum Password Age. Double click its child, called Maximum password age does not meet minimum requirements.
The Rule Editor opens in a new tab. The Rule Editor shows the conditions that have been defined within the Maximum password age does not meet minimum requirements rule. Currently, the rule requires that the maximum password age be between 1 and 60 days old. In this example, we are going to change the compliance rule so that passwords only have to be changed every 90 days.
Each condition in the rule has two versions. One evaluates the local setting, and the other evaluates the effective configuration after a group policy is applied.
In the Rule Editor, double-click the first rule condition (that is, the first row). The Rule Editor shows the operands and operator in the condition as editable fields with drop-down lists. In the field that currently says 60, enter 90. Then do the same thing in the second condition (that is, the second row).
Click the Save button. Then, to close the Rule Editor, click the X on the tab. Save also the component template and close the template tab.
For version management of the component template, commit the template to the local Git repository.
Commit details for the this version of the component template are added on the Git Repository History tab.
For more information about editing rules, see Adding or editing a compliance rule.
How to create a component for use in the compliance audit
This section walks you through a simple example process of manually creating a component using the component template that you just customized and based on a single server.
In the Component Template folder, right-click the DISA - Windows Server 2003 DC component template and select New > Component.
The New Component wizard opens.
In the wizard, for Server, select a Windows 2003 server and click Finish.
The newly discovered component appears below the DISA - Windows Server 2003 DC component template.
To display the new component immediately, right-click the Component Templates folder, and then click Refresh.
For more information about manually creating a component, see Adding components to servers manually.
How to create and run a Compliance Job
This section walks you through a simple example process of creating and running a Compliance Job based on the component that we just created.
|1||In the Component Template folder, right-click the DISA - Windows Server 2003 DC template and select Compliance. The New Compliance Job wizard opens.|
In the New Compliance Job wizard, on the first wizard panel (General), perform the following steps:
The next panel in the wizard (Component Templates for Filtering) shows that your component template is already selected. Click Next.
On the next panel (Components), select the component that you created by specifying the server with which it was associated. This is the server that you want to audit.
|5||Click Next three times to display the Schedules panel. Select Execute job now, and then click Finish.|
|6||The Tasks in Progress tab at bottom right shows that the Compliance Job is running. After the job completes, you can examine the job results, as described below.|
For more information about creating and running Compliance Jobs, see Creating Compliance Jobs.
How to examine job results
This section walks you through the process of examining the results of the Compliance Job that we ran in the previous example and provides tips for obtaining the most relevant information .
|1||In the Jobs folder, navigate to the Compliance Job that you created based on the DISA component template. In this example, the job is named Test Windows 2003 DISA Compliance. Right-click the job and select Show results. A tab at right shows the job results. A green check indicates that the job completed successfully.|
In the job results tab, expand the Server View node. Then expand the server that we are auditing, and the component that we created.
A list of compliance rule sets is displayed under the component. Rule sets and rules (children of rule sets) that are shown in bold are not compliant.
Select the Server View node. A table in the pane on the right displays the total number of compliant rules and non-compliant rules on the target server.
|3||Select the component node. More information about the compliance of the various rules sets appears in the pane on the right. Non-compliant rule sets appear in red, and compliant rule sets appear in black.|
In the list of compliance rule sets, scroll down to the compliance rules Maximum Password Age and Minimum Password Age.
In the example shown here, the server was compliant with the Maximum Password Age rule, but was non-compliant with the Minimum Password Age rule.
When you click the full name of the rule (a child branch under the rule title), the rule text is displayed on the right (similar to its display in the Rule Editor, but without the option of editing). If the rule was non-compliant, the exact conditions in the rule that were found to be non-compliant on the server are displayed in red. When you click a condition displayed in red, the full details of the condition are displayed in another pane below, so that you can compare the actual value on the server with the value with which the server was expected to comply.
For more information about Compliance Job results, including instructions for exporting the results to other formats, see Walkthrough: Reviewing the results of a compliance check. See also Compliance results and Exporting compliance results.
Wrapping it up
Congratulations! You have successfully audited the compliance of one of your Windows 2003 servers with your own customized version of the DISA policy. After you study the results of the Compliance Job, you can decide on steps to remediate your server, to bring it to full compliance with all rules in the policy.
Where to go from here
For a description of the remediation process, that is, the process of bringing a target server to compliance after it was found to be non-compliant, see Walkthrough: Remediating a compliance failure and Walkthrough: Creating remediation objects for a compliance template.