Documentation update To provide a better user experience, we have now created a separate documentation space for BMC Helix Automation Console (previously called BMC Helix Vulnerability Management). Users of BMC Helix Automation Console can find the latest documentation at BMC Helix Automation Console..

Working with compliance scan policies

This topic provides instructions on creating, viewing, enabling, disabling, and removing compliance policy scans.

To understand the concept of compliance policies, see Compliance-policy-scans.

For managing compliance, your TrueSight Server Automation version must be 21.02 or later.

Adding a compliance scan policy

On the Manage > Manage Compliance Scan Policies page, click Create Compliance Policy Scan and do the following:

  1. Click Browse to select a compliance scan policy template.
    Compliance templates available in TrueSight Server Automation appear. Compliance templates that have local instances defined in TrueSight Server Automation do not appear in the list.
  2. Enter a unique name for the scan policy.
  3. Select a risk score for the policy. 
  4. Click Select Asset Groups and select one or more asset groups (server smart groups or static groups in Server Automation) on which you want to run this compliance scan job. 
  5. In the Policy Schedule section, specify a schedule for the policy:
    1. Daily: Click the clock icon in the Time field, and specify the time.
    2. Weekly
      1. From the Recur Every list, select the number of weeks after which the policy should run again. 
      2. Click the clock icon in the Time field, and specify the time.
      3. Specify the days of the week when the schedule should run.

    3. Monthly: Click the clock icon in the Time field, specify the time, and then specify one of these options:

      • Specify the frequency (first, second, third, or fourth) and the day of the week for the schedule.
      • Specify the day in every month when the schedule should run. 
      • Select the last day of every month.  

      The schedule summary is displayed.

  6. Save the policy. 

After you save the compliance scan policy, it appears on the Manage Compliance Scan Policies page with the asset scope and the status as Enabled and runs as per the schedule defined in the policy.  

Executing a compliance scan policy

You can run a patch policy immediately after adding it. You cannot execute a policy that is disabled or already running.

On the Manage > Manage Compliance Scan Policies page, do the following:

  1. Select a policy and click Actions > Execute now.
  2. Click Continue

Viewing compliance policy scan results

On the Manage Compliance Scan Policies page you can see the policies available in the product and additional information such as name, selected assets, last run date and time, and the status.

After a policy runs according to the schedule, the results are displayed on the Scan Results page.

To view the results, do the following:

  1. Click the policy name.
    The Scan Run Results page shows results of each policy scan according to the schedule.
  2. To view results for any previous scan, select the particular scan in the Scan Start Time column. 
    The following image shows the results of a policy scan.
    Compliance Policy Scan Results.png
    The following details are displayed: 
    • Date, time, duration, and status of the policy scan
    • Total number of assets scanned by the policy
    • Number of assets that were scanned successfully (Assets Compliant) or with warnings (Assets Non-Compliant), and failed scans (Assets Failed)
    • List of assets scanned by the policy and the number of compliant, non-compliant, and indeterminate rules
    • Logs for the policy that contains errors and warnings, if any
  3. To view the policy results for each asset, click the asset name. The following details are displayed:
    • Policy name and the scan date and time
    • Number and the list of rules evaluated, segregated into Compliant, Non-compliant, and Indeterminate stages. 

Disabling and enabling a compliance scan policy

You may want to stop running scanning policies for a while or the policy may no longer be relevant. You cannot disable a policy if it is used by any operation. In such a case, delete the operation first, and then disable the policy. 

On the Manage > Manage Compliance Scan Policies page, do these steps: 

  • Select a policy and click Actions > Disable and click Continue
    The policy status changes to Disabled and the policy no longer runs according to the schedule. It still appears in the Compliance scan policy list. 
  • Select a policy and click Actions > Enable.
    The policy status changes to Enabled and the policy runs according to the schedule.

Removing a compliance scan policy

You cannot delete a policy if it is used by any operation. In such a case, delete the operation first, and then delete the policy. 

When you remove a policy from the Automation Console it continues to exists in TrueSight Server Automation. 

On the Manage > Manage Compliance Scan Policies page, do the following:

  1. Select a policy and click Actions > Remove.
  2. Click Continue


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*