Running a Compliance Job based on Compliance Content templates
The component templates provided in Compliance Content libraries were designed specifically as the basis for Compliance Jobs that enable you to analyze your compliance with industry standards.
This topic explains how to run a Compliance Job based on a Compliance Content component template. It includes the following sections:
Considerations and limitations
- Compliance Jobs based on Compliance Content templates scan only the local file system on the target server, excluding all remote mounted file systems.
- Compliance Jobs based on Compliance Content templates use various extended objects that are stored in the file server. Therefore, if at any point you switch to a new file server for the storage of TrueSight Server Automation files, ensure that you copy all existing files from the old file server to the new file server. For more information about file server configuration, see Configuring the file server
- If you are using SOCKS proxies, Compliance Jobs might fail due to inability to access the required extended objects in the file server behind the SOCKS proxy (and an SSL_connect error is issued). To avoid this issue, configure the Application Servers to route traffic to Network Shell proxy servers.
For information about Network Shell proxy servers, see Setting up a Network Shell proxy server. For information about SOCKS proxies, see Setting up communications with remote servers.
Before you begin
Ensure that target components have already been discovered against the appropriate template, as discussed in Running a Component Discovery Job.Alternatively, you can choose to authorize your Compliance Job to perform automatic component discovery, so that components are generated later on, just before they are analyzed for compliance.
- Ensure that the location defined by the STAGING_DIR target property exists on target servers. By default the staging directory is \temp\stage (on Windows) or /var/tmp/stage (on UNIX).
- For the CIS and PCIv2 templates for Windows, ensure that you have set the following properties to the appropriate values:
DOMAIN - whether the target server is a Domain Controller (a value of DC) or a Member Server (a blank value, the default).
- IS_SSLF property to true if the server profile is Specialized Security - Limited Functionality (SSLF), and false otherwise.
- PCI Properties/CIS Properties properties to one of the following values, depending upon the server profile:
- ENTERPRISE_MEMBER_SERVER, for a Member Server with Enterprise Client (EC) security
- ENTERPRISE_DOMAIN_CONTROLLER, for a Domain Controller with Enterprise Client (EC) security
- SSLF_MEMBER_SERVER, for a Member Server with Specialized Security — Limited Functionality (SSLF)
- SSLF_DOMAIN_CONTROLLER, for a Domain Controller with SSLF
- If you plan to remediate failed components for a single rule group rather than for all compliance rules in a SOX component template, you must uncomment the duplicate rules within the rule group before you run the Compliance Job. For more information, see Uncommenting duplicate rules for rule-group remediation.
To create and run a compliance job
Choose between the following types of compliance analysis:
- Creating Compliance Jobs. . For instructions, see
- For large-scale compliance analysis on UNIX or Linux servers, customize and run an out-of-the-box Batch Job that includes a Compliance Job and a Network Shell Script Job. For more information, see also Choosing between a regular Compliance Job and a Batch Job.
For large-scale compliance analysis on Windows servers, run a special out-of-the-box Compliance Job, as described in Customizing and running Scale Jobs for large numbers of servers.