Example of checking servers for PCI compliance

This topic walks you through the process of using BladeLogic Portal to run a Compliance operations that checks whether servers adhere to payment card industry (PCI) standards. When the operation detects non-compliant servers, the topic describes how to correct the problem. The topic includes the following sections:

Introduction

This topic is intended for system administrators who manage server configurations and ensure compliance withcorporate and industry standards. The goal of this topic is to use BladeLogic Portal to run a Compliance operation that identifies and eliminates configuration problems.

What is a Compliance operation

A Compliance operation is either based on a component template or a Compliance Job, which in turn is based on a component template. You define both component templates and Compliance Jobs in BMC Server Automation. A Compliance operation compares a set of rules to the configuration of target servers to determine if they comply with each of those rules. If the server is not fully compliant, you can perform a remediation operation to correct some or all of the non-compliant conditions.

What do I need to get started?

For this walkthrough, you need an account to access BladeLogic Portal. The account must have the necessary permissions to perform a Compliance operation.

To perform you this walkthrough, a component template used for compliance must be defined in BMC Server Automation. That component template must be set up to allow remediation of non-compliant conditions.

How to check servers for PCI compliance

 StepExample
1

Select Create Operation > Compliance.

The Create Compliance Operation wizard opens.

2
  1. For Name, enter a name for the operation, such as PCI Compliance Check.
  2. For Security Group, select the role under which you are creating the operation.
    If you are assigned to only one role, this option defaults to that role. No selection is necessary.

3
  1. Click Next.
    The wizard displays the Content window. This window lets you select a component template or Compliance Job that has already been defined in BMC Server Automation. In this demonstration we are going to select a component template.
  2. Click the Search tab. 
  3. At left, click Template to limit a search to templates.
  4. In the search box, enter a text string that identifies the template and click the search icon . For this example, we enter PCI.
  5. A list shows all component templates with names or other information that include the text string.
  6. Select the template you want to use for provisioning. (We select PCI V3 for Windows webserver.)
    When you select a template, the system prompts you to choose a job folder in BMC Server Automation where an automatically created job should be stored. If a default job folder is already defined for your site or security group, you are not prompted for this information. 
  7. If you are prompted for a job folder, select one and click OK.

4
  1. Click Next to display the Targets window. Use this page to search or browse for targets.
  2. At left, click Server to limit a search to servers.
  3. In the search box, enter a text string that identifies servers and click the search icon . For this example, we enter www.
    A list shows all servers with names or other information displayed onscreen that includes the text string you entered.
  4. From that list, select the servers that should be the targets of the operation. In this example we select only one target server.

5

Click Execute Now.

The wizard closes. The operation appears on the home page and begins to run.

6

When the operation completes, click View Results.

Operations with many compliance rules and multiple targets can take many minutes to complete.

7

The results page opens. It has five tabs, one for viewing results by target and another for viewing results by rule. A third tab shows log messages. Another tab shows exceptions you can set to compliance rules and the last tab is used for remediation (the term BSA uses for correcting problems detected during compliance operations). We'll come back to the Exceptions and Remediation tabs later.

The pie chart at top left shows you the percentage of compliant targets. In this case there is only one target and it is non-compliant.

When viewing results on the Targets tab, select a target in the list at left. The list at right shows the status of all compliance rules evaluated for that target.

This operation evaluated 42 rules. The PCI compliance templates that BMC provides as "compliance content" evaluate many more rules. For the purposes of this demonstration, we have created a simple example with a smaller number of compliance rules.

8In the list at right, filter the display to show only non-compliant rules by using the drop-down list to select Non-compliant. Notice that the list now says it is showing four rules, filtered from 42.

9

Click the Rule Results tab to show results of the operation by rule rather than by server. At the top of the rules list, select Non-compliant to show only non-compliant rules.

Notice that the pie chart at top left has changed from how it appeared for the Targets tab. Now that we are viewing results by rule, the pie chart shows the operation is 90.5% compliant.

10

You can create temporary or permanent exceptions to compliance rules. In this step we create a temporary exception because we know there is a utility that periodically attempts to access our target webserver. Thus the first rule that limits repeated attempts to access the server is not applicable.

  1. For the first rule, click the Actions icon and select Set Exception. A dialog asks for information.
  2. Provide a name for the exception and specify its expiration date, if the exception is temporary. All other information on the dialog is optional.
  3. Click Set.

The Exceptions tab now shows there is an exception defined.

Exception dialog

Contents of the Exceptions tab

11

If the component template used for this Compliance operation is set up so it allows you to correct problems (BladeLogic calls this remediation), you can attempt to remediate one or more target servers.

  1. Select the Actions menu at the top of the list at left and select Remediate All Rules.
    A dialog asks you to identify a job group and a depot group in BSA. Automatically created remediation objects are stored in those locations.
  2. Identify a job group and a depot group.
  3. Click Execute.

12The Remediation Operations tab now shows there is a remediation operation.
13On the Remediation Operations tab, click the Execute icon. After the system prompts for confirmation, the operation begins to run.

14When the operation completes, click View Results to see the results of the remediation operation. Results show the job was successful.

15

Return to the home page. Find the Compliance operation you defined earlier and run it again by clicking the Execute icon.

The Execute Operation dialog asks you to choose the targets where you want the operation to run. In our example there is only one server, so we just click Execute.

16

When the operation completes, click View Results. The Targets tab shows the targets are 100 percent compliant.

Wrapping it up

Congratulations. In this topic, you used BladeLogic Portal to run a Compliance operation to check PCI compliance of a target server. After the operation completed successfully, you determined that the server was not compliant. You set an exception to one rule and for the other non-compliant rules, you ran a successful remediation operation. Then you ran the original Compliance operation again and it showed the target server was completely compliant. 

Where to go from here

To learn more about defining all types of operations, see Creating or modifying an operation.

Was this page helpful? Yes No Submitting... Thank you

Comments