Example of checking servers for PCI compliance
This topic walks you through the process of using BladeLogic Portal to run a Compliance operations that checks whether servers adhere to payment card industry (PCI) standards. When the operation detects non-compliant servers, the topic describes how to correct the problem. The topic includes the following sections:
This topic is intended for system administrators who manage server configurations and ensure compliance withcorporate and industry standards. The goal of this topic is to use BladeLogic Portal to run a Compliance operation that identifies and eliminates configuration problems.
What is a Compliance operation
A Compliance operation is either based on a component template or a Compliance Job, which in turn is based on a component template. You define both component templates and Compliance Jobs in BMC Server Automation. A Compliance operation compares a set of rules to the configuration of target servers to determine if they comply with each of those rules. If the server is not fully compliant, you can perform a remediation operation to correct some or all of the non-compliant conditions.
What do I need to get started?
For this walkthrough, you need an account to access BladeLogic Portal. The account must have the necessary permissions to perform a Compliance operation.
To perform you this walkthrough, a component template used for compliance must be defined in BMC Server Automation. That component template must be set up to allow remediation of non-compliant conditions.
How to check servers for PCI compliance
Select Create Operation > Compliance.
The Create Compliance Operation wizard opens.
Click Execute Now.
The wizard closes. The operation appears on the home page and begins to run.
When the operation completes, click View Results.
Operations with many compliance rules and multiple targets can take many minutes to complete.
The results page opens. It has five tabs, one for viewing results by target and another for viewing results by rule. A third tab shows log messages. Another tab shows exceptions you can set to compliance rules and the last tab is used for remediation (the term BSA uses for correcting problems detected during compliance operations). We'll come back to the Exceptions and Remediation tabs later.
The pie chart at top left shows you the percentage of compliant targets. In this case there is only one target and it is non-compliant.
When viewing results on the Targets tab, select a target in the list at left. The list at right shows the status of all compliance rules evaluated for that target.
This operation evaluated 42 rules. The PCI compliance templates that BMC provides as "compliance content" evaluate many more rules. For the purposes of this demonstration, we have created a simple example with a smaller number of compliance rules.
|8||In the list at right, filter the display to show only non-compliant rules by using the drop-down list to select Non-compliant. Notice that the list now says it is showing four rules, filtered from 42.|
Click the Rule Results tab to show results of the operation by rule rather than by server. At the top of the rules list, select Non-compliant to show only non-compliant rules.
Notice that the pie chart at top left has changed from how it appeared for the Targets tab. Now that we are viewing results by rule, the pie chart shows the operation is 90.5% compliant.
You can create temporary or permanent exceptions to compliance rules. In this step we create a temporary exception because we know there is a utility that periodically attempts to access our target webserver. Thus the first rule that limits repeated attempts to access the server is not applicable.
The Exceptions tab now shows there is an exception defined.
Contents of the Exceptions tab
If the component template used for this Compliance operation is set up so it allows you to correct problems (BladeLogic calls this remediation), you can attempt to remediate one or more target servers.
|12||The Remediation Operations tab now shows there is a remediation operation.|
|13||On the Remediation Operations tab, click the Execute icon. After the system prompts for confirmation, the operation begins to run.|
|14||When the operation completes, click View Results to see the results of the remediation operation. Results show the job was successful.|
Return to the home page. Find the Compliance operation you defined earlier and run it again by clicking the Execute icon.
The Execute Operation dialog asks you to choose the targets where you want the operation to run. In our example there is only one server, so we just click Execute.
When the operation completes, click View Results. The Targets tab shows the targets are 100 percent compliant.
Wrapping it up
Congratulations. In this topic, you used BladeLogic Portal to run a Compliance operation to check PCI compliance of a target server. After the operation completed successfully, you determined that the server was not compliant. You set an exception to one rule and for the other non-compliant rules, you ran a successful remediation operation. Then you ran the original Compliance operation again and it showed the target server was completely compliant.
Where to go from here
To learn more about defining all types of operations, see Creating or modifying an operation.