Walkthrough: Creating a compliance template
This topic walks you through the process of creating a simple compliance template using BMC BladeLogic Server Automation (BSA).
This topic includes the following sections:
The video at right demonstrates the process of setting up a compliance template.
This topic is intended for system administrators and compliance officers who are responsible for ensuring that server configurations adhere to industry and organizational standards.
The goal of this topic is to demonstrate how to create and edit a simple component template that includes two rules. The rules test for compliance with password standards.
What does this walkthrough show?
This walkthrough shows how to create a simple component template. The template consists of two security settings about password handling and rules related to those settings. You can use this template as the basis of a Compliance Job that tests whether components on servers satisfy the two rules. For a description of how execute a Compliance Job, see Walkthrough: Compliance audit based on a policy.
Remediation is the process of correcting deficiencies discovered by a Compliance Job. This walkthrough does not show how to incorporate remediation content into a component template. For a description of that process, see Walkthrough: Creating remediation objects for a compliance template.
Many component templates are much more complex and incorporate many compliance rules. BSA provides prepackaged component templates that you can use to test for compliance with various industry standards. See Walkthrough: Loading compliance content for a description of how to load those prepackaged templates.
What do I need to do before I get started?
For this walkthrough, we have logged on as BLAdmin, the default superuser for BSA. In production environments, BMC recommends that you grant access based on roles with a narrower set of permissions.
How to create a template used for compliance testing
Using the Component Templates folder in BSA, navigate to a location where you want to create a component template. Right-click and select New > Component Template. A wizard opens that guides you through the process of creating a component template.
On the General panel of the wizard, enter a name for the template. Then select the type of operations you want to allow for this component template. In this example, we select Discover, Browse, Compliance, and Allow Remediation. Finally, click Finish.
Later, you add more complex information to the component template during an editing process.
|3||Select the component template you just created. Right-click and select Open. The component template opens to the General tab. Tabs representing other steps in the template definition process appear at the bottom of the pane.|
Assign parts to the component template.
Component template parts often include a wide variety of server objects. To keep this walkthrough simple, we selected only two parts.
Set up a rule group and begin to define the first rule.
Click the Rule Definition sub-tab and define the contents of the first rule.
Taken together, these rules say that there must be a value for password age and that the password must be between no older than 60 days.
Note: These rules are set up to test both the local setting and the effective setting. The local setting is the setting established on a server by means of its local security policy or registry setting. The effective setting is the setting that is actually in effect. They can differ if a server is part of a Windows domain and the domain level group policy object (GPO) overrides the local setting. Local and effective settings can also differ if the local setting has been changed but is not yet in effect. For example, the server may be in need of a reboot to apply a changed setting. BMC recommends setting up compliance rules to test both the local and effective setting.
Defining first condition
Logical descriptions of all conditions
Create a new rule.
Click the Rule Definition sub-tab and define the contents of the next rule.
Taken together, these rules say that there must be a value for password history and that the user cannot reuse any of his last 24 passwords.
To support version management of the component template, commit the template to the local Git repository. This first commit represents the initial version of the template from the time of its creation.
Commit details for the initial version of the component template are added on the Git Repository History tab.
Wrapping it up
Congratulations. You have created a component template. This template can be used to define a Compliance Job, which measures server compliance to organizational standards.
Where to go from here
See Walkthrough: Creating remediation objects for a compliance template for a description of how to attach a remediation object to a component template. Also, you can see Walkthrough: Compliance audit based on a policy for a description of how to use a component template to run a Compliance Job.
The BSA documentation provides more detailed instructions on setting up compliance rules in a compliance template.