Unsupported content This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Creating a Remediation operation - Operation

The Operations page of the Remediation operation wizard lets you schedule and configure the operation or operations that the wizard creates. The capabilities of this page vary depending on whether you are connected to BMC Server Automation or BMC Network Automation.

See the following sections for more information about using the Operations page:

  

Using the Operation page - BSA

The Operation page lists the operations created by the Remediation operation wizard. This page lets you define a schedule and perform other types of configuration for the operations you are about to perform.

If you have configured a connection to BMC Atrium Orchestrator and set up job approval in BMC Server Automation, you can also use the Operation page to configure the job approval request.

VulnMgmtOpOperations.gif

Specifying a job group

The first time you access the Operations page, the portal prompts you to select a job group where jobs that are automatically created should be stored in BMC Server Automation. 

After selecting a job group, you can modify that selection by clicking Browse next to the Job Group option. A dialog opens. Select a job group and click OK.

Defining schedules

You can define a schedule that applies to all operations generated by this Remediation operation.

If the wizard creates multiple operations, you can define a schedule that applies to them all, but you can also choose to modify the schedule for some or all operations.

To define a global schedule
  1. Under Global Schedule and Approval Settings, click the clock icon ClockIcon.gif beside Run Once At.
    An interface similar to a digital clock appears.
    DigitalClock.gif
  2. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
  3. Select the date when the operation runs.
  4. Select a time zone for the operation.
To define schedules for individual operations
  1. Click Override Global Scheduling and/or Approval .
    By default, all operations listed in the Planned Operations list use the global schedule.
  2. For any operation in the Planned Operations list that you want to schedule, click the configuration icon ConfigureIcon.gif.
    The Configuration dialog box opens
    ConfigurationDialog.gif 
  3. Take one of the following actions:
    • Click the No Schedule tab to assign no schedule to the operation. Typically this option is used when you are defining an operation and you plan to schedule it later. You cannot use the No Schedule option if you are requiring job approval for this operation.
    • Click the Execute Now tab so the operation runs as soon as you finish the wizard. You cannot use this option if you are requiring job approval for this operation.
    • Click the With Schedule tab to define a schedule for the operation. Then take the following steps.
      1. Click the clock icon ClockIcon.gif beside Run Once At.
        An interface similar to a digital clock appears.
        DigitalClock.gif
      2. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
      3. Select the date when the operation runs.
      4. Select a time zone for the operation.
  4. Click OK.

Requesting job approvals

If you integrate BladeLogic Portal with BMC Atrium Orchestrator, you can request a job approval through BMC Remedy ITSM Change Management. By default, the approval applies to this operation and all sub-operations that are automatically generated. Alternatively, you can also request approvals for individual sub-operations.

To request job approval for the entire operation

If you are requesting job approval for the overall job, under BAO Approval Information, for Approval Type, select a type of approval. See Job approval options for a description of the different approval types. If you want to customize the approval request, click Show Advanced Options and provide the information described in Job approval options.

To request job approval for individual operations

If you are requesting job approvals for individual operations in the Planned Operations list, perform the following steps:

  1. Click Override Global Scheduling and/or Approval .
    By default, all operations listed in the Planned Operations list use the same job approval.
  2. For any individual operation in the Planned Operations list that you want to schedule, click the configuration icon ConfigureIcon.gif.
    The Configuration dialog box opens
    ConfigurationDialogWithBAO.gif 
  3. Ensure that you have selected the With Schedule tab. You can only request job approvals for scheduled jobs. For Approval Type, select a type of approval. 
    See Job approval options for a description of the different approval types. If you want to customize the approval request, click Show Advanced Options and provide the information described in Job approval options.
  4. Click OK.
Job approval options

Option

Description

Approval Type

Manual—Use this option for jobs that require a BMC Remedy ITSM administrator to review the job details and impact level prior to approving execution. By default, this option generates a change request with a Change Timing value of  Normal .

Automatic—Use this option for change requests that use an Approval Process Configuration form to automatically approve the request. By default, this option generates a change request with a Change Timing value of No impact.

Emergency—Use this option for jobs that need immediate attention and must be run immediately. By default, this option generates a change request with a Change Timing value of Emergency and an Urgency value of High.

No Approval Required—Use this option if you are not required to enter the additional BMC Remedy ITSM parameters. If a job type requires approval and you select  No approval , the approval mechanism is bypassed and the job executes either immediately or as scheduled.

Change Type

Enter the type of change being requested.

Impact

Select the scope of the change being requested. For example, is the job targeted for one server or a large number of servers? The default value is Minor/Localized.

Risk Level

Select the severity of the change being requested.

 

Executing operations immediately

  1. Click Override Global Scheduling and/or Approval .
  1. For any operation in the Planned Operations list, click the configuration icon ConfigureIcon.gif.
    The Configuration dialog box opens
    ConfigurationDialog.gif
  2. Select the Execute Now tab.
  3. Click  OK.

Enabling auto-remediation (Threat Director only)

Patch Analysis operations can be configured to allow for auto-remediation, which means that when the Patch Analysis operation completes, additional operations are launched automatically to deploy required patches.

You can define auto-remediation so each phase occurs sequentially, or you can schedule each phase of the auto-remediation process.

Notes

To use auto-remediation:

  • Your portal security group must be granted the Threat Director portal level permission; without the Threat Director permission, none of the following sections related to auto-remediation are applicable.

  • A deploy template must be defined for your portal security group, and that deploy template must be an advanced Deploy Job.

    Click here for more information about deploy templates.

    When you specify a deploy template, you identify a BLPackage Deploy Job in BSA that has settings you want to use in BladeLogic Portal. A deploy template's settings can be applied to any Deploy operations you create in BladeLogic Portal, including Deploy operations that are automatically created as part of auto-remediation processes.

    Deploy templates are only applicable when BladeLogic Portal is connected to BSA.

    Administrators can specify deploy templates for a particular security group or they can specify deploy templates the apply across an entire site.

    If you are setting up a Remediation operation in Threat Director that involves auto-remediation, a deploy template must be defined and the designated Deploy Job must be an advanced Deploy job. BMC recommends that you create a stand-alone advanced Deploy Job that is only used as a deploy template. Having a dedicated Deploy Job prevents changes to a live Deploy Job in BSA from affecting operations in the portal that are based on the Deploy Job.

 

  1. For any patching operation in the Planned Operations list, click the configuration icon  ConfigureIcon.gif. The Configuration dialog box opens. It includes two tabs:  Remediation Details and Remediation Setting
    AutoremediationTabs.gif 
  2. Using the two tabs, perform the following steps:
    1. On the Remediation Details tab, specify a job group and depot group to store jobs and depot content that are automatically generated during auto-remediation.
      1. In the navigation tree, expand Depot Group and select a sub-group for storing depot content.
      2. Expand Job Group (you may have to collapse the Depot Group first) and select a sub-group for storing jobs.
    2. Click the Remediation Setting tab.
    3. Select a deploy template and click Details
      Two additional tabs appear: Deploy Settings and Phase Schedules and Execution.
      AutoremediationSetting.gif 
    4. Optionally, inspect the settings of the template by clicking Details. The portal lists settings for the selected job, such as its logging level and reboot settings. To return to the list of template jobs, click Templates.
      NoteMany options are available for controlling a remediation job. See here for a complete list. For instructions on using BMC Server Automation to implement those options, see Setting deploy options for remediation jobs.
    5. To schedule the individual phases of auto-remediation (that is, simulate, stage, and commit), perform the following steps:
      1. Click the Phase Schedules and Execution tab.
        AutoremediationPhasesSettings.gif
      2. Take any of the following actions:

        • If you do not want to schedule the phases of the remediation action, select Do not execute.
        • If you want to schedule all phases to run sequentially, select Execute sequentially and then specify a time zone, a start date, and a time for execution.
        • If you want to schedule each phase individually, select Execute selected phases. Select a time zone. Then specify a start date and time for each phase that you want to schedule. Instead of setting a start time, you can click After Previous Phase to indicate that the phase should begin after the previous phase completes. You can also click Not Scheduled to specify that a particular phase is not scheduled.
    6. Click OK to confirm all auto-remediation settings.

Providing additional configuration for operations

A Remediation Operation wizard can automatically create many different types of operations. For example, it can create Deploy or NSH Script operations. In some situations, these operations may require additional configuration. Those scenarios are described below.

To provide local properties for Deploy operations

If a Deploy operation is deploying a BLPackage and local properties have been defined for the BLPackage, you may need to provide values for the local properties. 

  1. For a Deploy operation in the Planned Operations list, click the configuration icon  ConfigureIcon.gif.
    The Configuration dialog box opens. It includes a tab called Local Properties. If no properties are listed on the tab, no local property values are required. The procedure is complete.
  2. If local properties are listed on Local Properties tab and you want to change the value for a property, click the name of the local property. 
    A dialog box displays information and options about the property.
    EditLocalProperty.gif
  3. Modify the local property value by clicking in the Value text box and entering a new value.
  4. Click OK.
To provide parameters for NSH Script operations

If an NSH Script operation is running script that requires parameter values, you may need to provide values for the parameters. 

  1. For an NSH Script operation in the Planned Operations list, click the configuration icon  ConfigureIcon.gif.
    The Configuration dialog box opens. It includes a tab called Script Properties. If no properties are listed on the tab, no parameter values are required. The procedure is complete.
  2. If parameters are listed on Script Properties tab and you want to change the value for a parameter, click the name of the parameter. 
    A dialog box displays information and options about the parameter.
    EditParameter.gif
  3. Modify parameter values by taking any of the following actions: 
    • To specify whether the operation should use a flag for this parameter, for Flag runtime usage, select one of the following options:
      • Use — The operation uses the parameter flag.
      • Ignore — The operation does not use the parameter flag.
        If the Network Shell script is defined so the job requires a flag for this parameter, you cannot modify the setting.
    • To modify the value of the parameter, click in the Value text box and enter a new value.
      You can only modify parameters that are defined to be editable when the Network Shell script was created. 
      If you want to include a reference to a property in the parameter, enter a variable bracketed with double question marks (such as ??WINDIR??/rsc). Alternatively, you can click Properties to find and select the appropriate property.
    • To specify whether the operation should use a value for this parameter, for Value runtime usage, select one of the following options:
      • Use — The operation uses this parameter value.
      • Ignore — The operation does not use this parameter value.
        If the Network Shell script is defined so the job requires a value for this parameter, this cell is set to Required and you cannot modify the setting. 
        If the parameter is defined so it does not accept a value, and the parameter has never had a value associated with it, you cannot modify the setting.
  4. Click OK.
To select deploy templates

If you are configuring a Deploy operation, you can optionally specify a deploy template, which encapsulates the deploy settings to be used for the new operation. To enable this functionality, a portal administrator must define one or more deploy templates for your site or portal security group.

  1. For a Deploy operation in the Planned Operations list, click the configuration icon  ConfigureIcon.gif.
    The Configuration dialog box opens. If deploy templates are enabled, a tab called Deploy Template appears.
  2. On the Deploy Template tab, select a Deploy job.
    The Deploy job appears in the Selected Deploy Template field. To remove a Deploy template, select the Deploy job again from the list of possible Deploy jobs. 
    DeployTemplateTab.gif 

  3. Optionally, inspect the settings of the template by clicking Details. The portal lists settings for the selected job, such as its logging level and reboot settings. To return to the list of template jobs, click Templates.
    DeployTemplateTabSettings.gif

    Note

    Many options are available for controlling the behavior of a Deploy Job (that is, a deploy template) used for remediation purposes. See here for a complete list. For instructions on using BMC Server Automation to implement those options, see Setting deploy options for remediation jobs.

  4. If you have selected a Deploy template that is defined as an Advanced Deploy job in BMC Server Automation, you can schedule the individual phases of the remediation operation (that is, simulate, stage, and commit). Take the following steps:

    1. Click the Phase Schedules and Execution tab.
      DeployTemplateTabPhaseSchedulte.gif
    2. Take any of the following actions:

      • If you do not want to schedule the phases of the remediation action, select Do not execute. 
      • If you want to schedule all phases to run sequentially, select Execute sequentially and then specify a time zone and a start date and time for when execution begins.
      • If you want to schedule each phase individually, select Execute selected phases. Select a time zone. Then specify a start date and time for each phase that you want to schedule. Instead of setting a start time, you can click After Previous Phase to indicate that the phase should begin after the previous phase completes. You can also click Not Scheduled to specify that a particular phase is not scheduled.
  5. Click OK. The settings in the Deploy job that the template identifies are used to define the Deploy operation.

 

Using the Operation page - BNA

The Operation page lists the operation being created by the Remediation operation wizard. When you are using BMC Network Automation, the Remediation wizard only creates a single remediation operation.

This page also lets you define a schedule for the operation.

VulnMgmtOpOperationsBNA.gif

Defining a schedule

  1. Click With Schedule.
  2. Click the clock icon ClockIcon.gif beside Run Once At.
    An interface similar to a digital clock appears.
    DigitalClock.gif
  3. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
  4. Select the date when the operation runs.
  5. Select a time zone for the operation.

Executing operations immediately

You can schedule the operation to run immediately after you finish the Remediation operation wizard by clicking Execute Now.

Requesting job approvals

If you integrate BladeLogic Portal with BMC Atrium Orchestrator, you can request a job approval through BMC Remedy ITSM Change Management.

Note

When requesting job approval, be aware of the following issues:

  • Only external approval types are supported, such as approval through BMC Remedy ITSM. Approvals defined within BNA, such Single Approval or Multiple Approvals) do not appear in the Remediation wizard.
  • In BNA, job approval should be enabled for Remediate actions.
  • In BNA, if the Change Timing value is set to Latent in BNA, that approval type does not appear in the Remediation wizard.
  • If job approval is not enabled in BNA and you select job approval on the Operations page, the approval request is ignored and the operation behaves as if you did not request job approval.
  • To use job approvals with BNA operations, you must be running BMC Network Automation version 8.9.02 Hotfix 7 or later. 


To request job approval

Under BAO Approval Information, for Approval Type, select a type of approval. Approval types are defined in BNA. If you want to customize the approval request, click Show Advanced Options and provide the information described below in Job approval options. You can request job approval for both scheduled operations and operations you execute immediately.

Job approval options

Option

Description

Approval Type

Approval types are defined within BNA and can be different for every installation.

Change Type

Enter the type of change being requested.

Impact

Select the scope of the change being requested. For example, is the job targeted for one server or a large number of servers? The default value is Minor/Localized.

Risk Level

Select the severity of the change being requested.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*