Walkthrough: Creating exceptions for compliance rules
This topic walks you through the process of using Compliance Job results to create an exception for a compliance rule and then running the Compliance Job again to see how the results show the exception. This topic includes the following sections:
The following video demonstrates the process of defining an exception to a Compliance Job.
This topic is intended for system administrators or operators who are responsible for ensuring compliance in the data center.
The results of a Compliance Job show how components satisfy or fail to satisfy the compliance rules established in a component template. In some situations, it is useful to define one or more components (that is, the targets of the Compliance Job) as exceptions to compliance rules defined in the component template.
In this example, we know that a rule limiting the number bad logons is not currently applicable because we are performing a security test that includes repeated attempts to access certain servers. Thus, we are defining a temporary exception to the bad logon rule.
When we run a Compliance Job that includes exceptions, the job results show some servers as having a status of "compliant with exceptions" rather than non-compliant.
What does this walkthrough show?
This walkthrough is targeted for compliance operators. It shows how to:
- Define an exception to a compliance rule.
- Re-run an existing Compliance Job and examine the results to see how they reflect the presence of an exception.
What do I need to do before I get started?
For this walkthrough, we have:
- Logged on as BLAdmin, the default superuser for BSA. In production environments, BMC recommends that you grant access based on roles with a narrower set of permissions. See Walkthrough: Restricting permissions for a Compliance officer.
- Run a Compliance Job, as described in Walkthrough: Compliance audit based on a policy.
How to analyze and report on compliance status
In the Jobs folder, navigate to a Compliance Job. Right-click the job and select Show results. A tab at right shows the job results. Select Rules View. The tab at right provides summary information about the number of rules which are found to be compliant, compliant with exceptions, non-compliant, and indeterminate.
Notice how 122 rules are compliant and 248 are non-compliant.
Indeterminate refers to situations where conditions cannot be classified as compliant or non-compliant, such as when theasset being tested in a compliance rule is undefined on the target server.
Click here for an example of an indeterminate condition.
If a condition states that a symbolic link must start with the letter A, the condition is
Expand the Rules View node, and then expand the component template it contains. Scroll down through the list of compliance rules and select a rule that is non-compliant. In this example, we select Bad Logon Attempts.
At right you see the number of servers that are compliant for that rule, compliant with exceptions, non-compliant, and indeterminate.
We want to set an exception for this rule because we know we are performing some security tests, including one "door knocking" function that attempts to repeatedly log onto servers. For the duration of this testing, the Bad Logon Attempts rule is not applicable.
Click Next. The wizard shows the compliance rule for which you are setting up an exception.
If you want to specify additional rules to which this exception applies, click Addand select those rules. In this example, we do not include additional rules.
If necessary, you can use this panel to modify the rule used for this exception. Select a rule in the list and click Edit. Then modify the contents of the rule using the rule editor much like when you originally created the compliance rule. You can narrow the applicability of an exception to a specific system object if that object can be expressed as a path, such as a file with a particular name or a particular value within a configuration file.
Click Next. The wizard lets you select the components to which an exception should apply. (A component is a user-defined collection of server configuration settings that encapsulate a service, application, or security policy.) In this example, we are only examining one component, so we click Finish.
Return to the Compliance Job in the Jobs folder. Right-click the job and select Execute. Monitor the job in the Tasks in Progress view. When the job finishes executing, select the job, right-click, and select Show Results. You now see a second job run in the results. Expand the job run and select Rules View. At right you see there are still 122 compliant rules but now there are 247 non-compliant (one less than before) and 1 compliant with exceptions.
Expand Rules View and then expand the component template. Scroll down through the list of rules to Bad Logon Attempts. It is no longer in bold, meaning it is no longer non-compliant. Click on Bad Logon Attempts. At right you can see that instead of the target component being non-compliant, it is now compliant with exceptions.
Wrapping it up
Congratulations, you have successfully defined an exception to a compliance rule, re-run an existing Compliance Job, and checked the results, which now show one rule compliant with exceptions.
Where to go from here
To learn more about creating and using Compliance Jobs, see Creating and modifying Compliance Jobs. To learn more about setting exceptions in Compliance Jobs, see Defining compliance exceptions for a component.