• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    Server Automation Documentation

    Page tree

    Basic conditions are common building blocks of discovery signatures and compliance rules.

    Basic conditions perform analyses on configuration objects. Using basic conditions, you can check for the presence, absence, or number of occurrences (the cardinality) of a configuration object. In addition, you can evaluate configuration object properties or component properties by comparing them with constant values or with other properties.

    Basic conditions that analyze properties always consist of a left-hand side (LHS) operand, a comparison operator, and a right-hand side (RHS) operand. For example: ??TARGET.OS?? equals "Windows" (For the between operator, two RHS operands are required.) Certain types of cardinality conditions have only one operand and an operator, and do not have a right-hand side operand. For example: "File:/C/a.log" exists.

    For a basic condition to be valid, the operands and operator must refer to the same data type, as discussed in Operand data types and operator compatibility. Each condition returns a logical value of either TRUE or FALSE. Conditions can be combined, nested, or used in conditional structures or loops to create complex expressions for evaluation.

    The assign operator and the persist operator are special types of operators are also available for use within basic conditions. These operators enable you to assign a value to a property, so that you can then use the property as a variable in subsequent conditions in your rule.The remediate operator enables you to execute a shell command as a remediation action at the end of compliance analysis. This operator is typically used in a then statement within a conditional construct.

    To define a basic condition

    1. Within the basic condition line that you added (using the New Condition icon), click the Select (down arrow) icon of the LHS (left-hand side) field.

    2. Define the LHS operand through the displayed selection box. The following table lists the top-level branches that appear in this selection box, and describes how you can use each of these branches to define the LHS operand.

      Branch

      How to use

      Component Properties

      Expand this branch to select a component property from a hierarchical list of component properties.

      If necessary, prepare an appropriate local property through the Local Properties tab.

      Note: When you prepare component property for use as a transient variable, add it as a local property to the component template and give it a name that begins with the VAR_ prefix (in uppercase).

      Configuration Objects 1

      To select a new configuration object, click New Configuration Object under this branch to open the Configuration Object Selection box. In this box, select a configuration object (such as a file or directory), either from a list of local template parts or from a tree-structure list of server objects, and then click OK to return to the initial selection box. Afterwards, do one of the following:

      • To check for the presence or number (cardinality) of the configuration object, click the string that represents the configuration object.
      • To analyze a property of the configuration object, select one of the properties listed below the configuration object.

      To select a configuration object or configuration object property that was recently used in the rule, either click the branch of the specific configuration object or expand that branch and click one of the properties listed below it.

      Loop Iterator Properties 2

      For a basic condition within a loop, expand this branch to select a property for the configuration object specified in thecurrent loop. For more about loops, see Defining a loop. Note that this branch appears only within a loop.

      Configuration Object Types 1

      Use this branch to specify a property of the configuration object based on its object type. First expand this branch and select an object type from the full list of object types. Then manually enter the full path to the configuration object directly into the LHS operand field, as described in step 3.


      1 Certain types of server objects cannot be included as configuration objects in compliance rules. Such server objects cannot be selected from the tree-structure list of server objects and they do not appear in the list of configuration object types. These object types include various lists and containers of multiple server objects, as represented by top-level Live nodes such as Configuration, Extended Objects, and System Info.
      Before including a local configuration object from the component template in your rule, ensure that the component template was saved since the local configuration object was defined.
      2 Loops are used in compliance rules but not in a discovery signature.
      Your selection appears in the LHS operand field.

      • A configuration object appears as a string with the following syntax: "objectType:objectPath" (for example: "File:/C/a.log"). A property of the configuration object is appended to this string after a period (for example: "File:/C/a.log"."size" or "Directory:/tmp"."User Owner Name").

        A noteworthy example of an object type is the Command configuration object. The Command object enables you to execute shell scripting commands and analyze their output. For example:
        • "Command:cat /etc/passwd|wc -l".int is an LHS operand for analyzing an integer-type command output.
        • "Command:which rpcinfo".Out_Put is an LHS operand for analyzing a textual output of a command.

        Use of the Command object type replaces the need to define a command or script during the creation of a configuration object through the Local Configuration Objects tab.The Command object can also be used in combination with the remediate operator to execute a shell command as a remediation action at the end of compliance analysis. To use the Command object in this manner, specify the shell command without appending a property to it. This combination of operand and operator is typically used in a then statement within a conditional construct.

        Note

        To support the execution of commands through Compliance rules, ensure that the ComponentTemplate.ExecuteCommand authorization is assigned to the template (through the Permissions panel during template creation or through the Permissions view). 

      • A component property appears as a string with delimiting pairs of question marks both before and after the property name (for example: ??PATH??). For a nested property, the typical syntax for the property string is ??propertySubclass.propertyName?? (for example: ??GROUP.GROUP ID??).

        Note

        If the field already contained a textual string, the new component property is inserted at the current cursor point or replaces selected text,but does not replace the full textual string.

        A component property can also be used to define a variable that you can use in subsequent conditions in the rule. To use a component property in this manner, associate it with one of the following operators: 

        • The assign operator can be used to assign a transient value that is not saved to the database, but rather temporarily stored only for the duration of rule execution. Use this operator if you want to avoid unnecessary storage of data in the database and do not plan to perform remediation based on the results of the compliance rule analysis. Property Class type is not allowed (PSC). You can use String, Int, Boolean, etc as data types. It is recommended that you use only local properties of the component template for the rules under evaluation.
          For example, the statement ??VAR_List_String?? := "Command:ls -l".StringList assigns the string list output of a command to the ??VAR_List_String?? component property (:= represents the assign operator).
        • The persist operator can be used to assign a value that is persisted in the database. Use this operator if you plan to perform remediation based on the results of the compliance rule analysis. Create a PSC and Compliance Engine creates Property Set Instance (PSI) for you automatically. When you run the Compliance Job for the first time, the LHS value of the persist operator condition displays as NULL even if it is set in the property dictionary.
          For example, the statement ??VAR_test_prop.test_value?? persist Foobar assigns the Foobar to the VAR_test_prop component property with a test_value property class instance. Note that the you need to use the property class instance with the component property while using persist operator.

    3. In addition to, or instead of, defining the LHS operand through the selection box as described in step 2, you can edit or type directly into the LHS operand field. In this way, you can parameterize the configuration object path (for example: "File:??APP_DIR??/*.tmp"), or you can use the following wildcards in the configuration object path:

      Wildcard

      Explanation

      *

      Match multiple characters. This pattern does not match a path separator character, such as /. Consequently, a path using this wildcard does not recurse through lower directories.

      **

      Match multiple characters, including path separator characters. Using this wildcard allows a path to recurse through lower directories.

      ?

      Match any single character

      [character sequence]

      Match any single character if it is included in the bracketed characters.

    4. In the next drop-down box to the right, select a comparison operator (such as contains or equals). Only relevant operators are available:

      • For a configuration object, only cardinality operators are available — exists, does not exist, and the various count operators.For a Command configuration object, the remediate operator is also available, enabling you to apply a shell command as a remediation action at the end of compliance analysis.

      • For a property, only those comparison operators that are relevant to the data type of the property specified in the LHS field are available for selection.
        For a full list of operators and the data types that support them, see Operand data types and operator compatibility.
      • To define a value for a property, so that you can use the property as a variable in subsequent conditions in the rule, choose the assign operator or the persist operator.

    5. In the right-hand side (RHS) field, enter an operand in one of the following ways:

      Notes

      • No RHS operand is required for the exists and does not exist cardinality operators.

      • No RHS operand is required for the remediate operator, which can be used together with a Command configuration object that you specify in the LHS operand.

      • For certain Windows Security Setting policies, you must use the relevant pre-defined Windows value in the RHS field. For example, for  Security Settings\Local Policies\Audit Policy\Audit account logon events, compare the configuration object in the LHS field to an RHS value range of 0-3 (0=Audit No Auditing, 1=Audit Success, 2=Audit Failure, 3=Audit Success and Failure), rather than textual values.
      • Type in a configuration object property string, component property string, or a constant or parameterized value or range of values. How you specify a value, as well as what values are available, depends on your input in the LHS and operator fields.
      • Click the Select (down arrow) icon and select a configuration object property, a component property, or (within a loop) a loop variable property, as done in the LHS field.
    6. Click Apply Condition Value at the end of the condition line to apply your changes to the condition (or, alternatively, leave the condition line by clicking outside of it).
      You can click Cancel Edit Operation to cancel any editing that you performed on the condition line as long as you have not yet applied your changes.

    Related topic

    Examples for creating compliance rules

    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.