This topic walks you through the process of remediating a compliance failure, that is, correcting deficiencies that were discovered on a server by a Compliance Job in BMC Server Automation (BSA). This topic includes the following sections:
This topic is intended for system administrators and compliance officers who are responsible for ensuring that server configurations adhere to industry and organizational standards.
The goal of this topic is to demonstrate how to remediate a server, that is, to bring a server into compliance with rules in your component template after it failed a Compliance Job based on that component template.
What does this walkthrough show?
This walkthrough shows how to remediate compliance failures by deploying a remediation package to a target server where compliance rules failed. In this example, we will remediate just one failed check on an individual server.
What do I need to do before I get started?
This walkthrough assumes that you have already run a Compliance Job (as in the example in Walkthrough: Compliance audit based on a policy), and reviewed its results (as described in Walkthrough: Reviewing the results of a compliance check).
The current walkthrough demonstrates a remediation process after running a Compliance Job that took advantage of an out-of-the-box component template for an external policy (in this case, the DISA policy). Out-of-the-box templates are obtained when you load BSA compliance content, as described in Walkthrough: Loading compliance content. You can, alternatively, use a component template that you created and in which you defined your own compliance rules based on your organization's unique regulatory standards, as described in Walkthrough: Creating a compliance template.
Before you run the Compliance Job, you must ensure that the component template is set to support remediation, as controlled by the following settings. For more information about these settings, see How to create compliance job remediation.
- On the component template's General tab, under Allowed Operations, the Compliance check box and (under Compliance) the Allow Remediation check box must be selected.
- For any compliance rule that you might want to remediate, a BLPackage must be prepared and associated with the rule. In the Rule Editor for the individual rule in the component template, on the Remediation tab, ensure that the Deploy the following BLPackage remediation action is selected, and that a BLPackage is specified.
In an out-of-the-box component template from the compliance content, BLPackages are already associated with many of the rules (as relevant). In a template that you create, you are responsible for creating the BLpackage and associating it with the compliance rule. For more information about this task, see Walkthrough: Creating remediation objects for a compliance template.
For this walkthrough, we have logged on as BLAdmin, the default superuser for BSA. In live deployments, BMC recommends that you grant access based on roles with a narrower set of permissions. Ensure that the role that you use has permission to deploy files on the target host.
How to manually remediate compliance failures
In the Jobs folder, navigate to your Compliance Job. Right-click the job and select Show results. A tab at right shows the job results.
In the job results tab, expand a job run. Then expand the Server View node and one of the servers under the Server View node. Finally, under the server node, expand and select the component created for that server.
A list of compliance rule sets is displayed under the component. Rule sets and rules (children of rule sets) that are shown in bold are not compliant. The list of rule sets is displayed also in the pane at right, with non-compliant rule sets shown in red.
Scroll down to the Minimum Password Age compliance rule (either in the tree display on the right or in the list on the left), right-click it, and select Remediate. In this example, we will remediate only one rule.
In the Remediate Job Result window, enter the following information:
A progress bar is displayed. The remediation package is created in the Depot and the Remediation Job is opened for editing.
In the Remediation Job window, browse through the various tabs. You have the option of editing any of the displayed settings, as described in the various topics about the individual tabs, which are listed and linked to in To create a BLPackage Deploy Job. For the current walkthrough, the default settings are sufficient.
Then click OK.
You can now view the newly created package and job that were generated:
To run the new job, right-click the job and select Execute.
The job is displayed in the Tasks in Progress view.
After the job has completed executing, right-click the job and select Show Results.
The job run status is displayed. You can track the job as it passes through the Simulate, Stage, and Commit phases.
Wrapping it up
Congratulations. You have successfully remediated a compliance failure and have brought your server into compliance with an important rule from the regulatory standard that your organization follows.
Where to go from here
After completing the remediation process, it is recommended that you run the Compliance Job once again, to ensure that the compliance failures that were detected in the previous job run have been resolved and are no longer detected by the Compliance Job. For a walkthrough of an example Compliance Job, return to Walkthrough: Compliance audit based on a policy.