Skip to Content
Information

This site will undergo a brief period of maintenance on Saturday, 7 February at 2:00 AM Central/1:30 PM IST. During a 30 minute window, site availability may be intermittent.

Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Monitoring BMC Cloud Lifecycle Management service compliance

Compliance and security checks are of prime importance to IT administrators when managing data centers. Security breaches take place because of insufficient security/compliance checks, which make the system vulnerable to outside attacks. BMC Cloud Lifecycle Management leverages BMC Server Automation, a leading solution for creating and managing compliance content and remediating violations. BMC Server Automation patches the vulnerable systems by applying security patches and normal updates. Compliance and overall security are often treated as day 2 operations after a server is provisioned. Use the BMC Cloud Lifecycle Management – My Cloud Services Console or End User Portal (EUP) to set compliance as a day 2 operation in a greenfield or brownfield environment. Use the BMC Cloud Lifecycle Management – Administration Console to set compliance by using the service blueprint.

See the following BMC Communities video series to learn more about configuring and enabling compliance in BMC Cloud Lifecycle Management:

This topic includes the following sections:

Overview of Compliance

Technical and operational standards exist to protect sensitive data held in the data center. To achieve accreditation, the data center must prove compliance with existing standards. BMC Server Automation Compliance Content libraries provide you with add-on content for BMC Server Automation, containing rule sets to automatically analyze compliance for every server in the data center. These sets of rules are based on the following standards and policies:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Defense Information Systems Agency--Security Technical Implementation Guides (DISA STIG)
  • Sarbanes-Oxley (SOX) Act
  • Payment Card Industry (PCI) Data Security Standard (DSS) requirements developed by the PCI Security Standards Council
  • Center for Internet Security (CIS) benchmarks

Results from analyses performed based on Compliance Content component templates can be used both to document the current situation and as a basis for bringing non-compliant servers into full compliance with the standard. Using BMC Server Automation Compliance Content, you can

  • Discover relevant target servers and analyze those servers for compliance with major regulatory standards and best-practice policies
  • Remediate compliance failures that were discovered by deploying BLPackages
  • Generate reports with summaries of compliance details, similar to policy audit sheets

For a list of Compliance Content component templates, see Compliance Content component templates.

For more information about using Compliance Content add-ons to analyze and remediate compliance with standard policies, see Compliance-Content-analysis-and-remediation.

Warning

Notes

The pre-defined component templates provided in BMC Server Automation Compliance Content libraries reflect a generic interpretation of the compliance standards, and cannot take into account the specific situation within your organization. Therefore, certification cannot be assumed and is not implied based solely on successfully complying with the rules within these templates. Additional measures, such as manual compliance checks, may be required to achieve certification.

The Payment Card Industry (PCI) Data Security Standard templates are provided in two groups, one group of templates for PCI version 1 and one group for PCI version 2.

Error
Warning

BMC Regulatory Compliance Templates (Policies) provided by BMC comes with remediation actions for many of the standard checks where rule check fails and corrective action may be necessary to get servers to desired state. It is recommended by BMC for customers to carefully review all the shipped remediation actions. BMC supplies Auto remediation flag and by default is set to false to ensure no changes on the managed servers are performed when certain compliance rules check fail. If auto remediation flag is set to true then BSA as part of remediation package deploy job will make changes to servers. It is the responsibility of customer to ensure and control remediation actions including auto remediation actions performed in their environment.

For an overview of compliance analysis and remediation, see Analyzing-system-compliance in the BMC Server Automation Documentation.

Back to top

Supported platforms for compliance

The following table lists the platforms that support compliance:

Platform

Compliance Support

Day 1

Day 2

VMware

Supported

Supported 

LPAR

Supported

Supported 

Hyper-V

Supported

Supported 

Bare Metal

Supported

Supported

Physical Server

Supported

Supported

Xen

Supported

Supported

VM Onboarding

Not Supported

Supported

AWS

vCloud Director

Not Supported

Not Supported

OpenStack

Azure

New in 4.6.06Azure Resource Manager

Docker

Not Supported

Not Supported

IBM Bluemix Infrastructure

Not Supported

Not Supported

BMC Database Automation

Not Supported

Not Supported

Cloud Foundry

Not Supported

Not Supported

Warning

Note

Starting from 4.6.03 and later, compliance at service level is available for AWS, OpenStack, and Azure.


Back to top

Setting up compliance in a Greenfield environment

By default, BMC Cloud Lifecycle Management supports HIPPA, PCI, SOX, DISA, CIS, and custom templates created by the BMC Server Automation administrator. To configure compliance in a new BMC Cloud Lifecycle installation, the cloud administrator must perform the following tasks:

  1. Locate and download the Compliance Module installer based on the platform (for example, BBSA 8.7.00 Server Automation for Windows[x64]) from the BMC EPD site http://usermanager.bmc.com/intepd after successfully installing BMC Server Automation.
    The installer contains Compliance templates, which BMC releases periodically.
  2. Unzip the downloaded file (for example, BBSA87-WIN64).

  3. Double-click the executable file (for example, Content87-WIN.exe) and install the entire content or selected content based on your requirement.

    For detailed information on BMC’s Compliance solution, see Installing-Compliance-Content-add-ons and  How-to-load-Compliance-Content in the BMC Server Automation online technical documentation.

    The [expand] macro is a standalone macro and it cannot be used inline.

    Warning

    Note

    If the cloud administrator uses domain-based user authentication instead of the standard BLAdmin user, the cloud administrator must ensure that the specified domain user has read, write, and execute permissions on BMC Server Automation objects.

  4. Restart the Platform Manager.
    Compliance jobs are then created automatically. These jobs are visible as compliance standards in BMC Cloud Lifecycle Management.
  5. (Optional) To enable compliance during provisioning, ensure that you select the Enable auto-discovery check box in BMC Server Automation for the specific compliance job that you selected when you set up the service blueprint.

Back to top

Setting up compliance in a Brownfield environment

To configure compliance in BMC Cloud Lifecycle Management when a customer already has BMC Server Automation, with the compliance feature up and running, the cloud administrator must integrate the existing BMC Server Automation sever with the BMC Cloud Lifecycle Management environment by performing the following tasks:

  1. Use the BMC BladeLogic Server Automation Console to log in to the BMC Sever Automation application server.
  2. Navigate to a specific job (for example, CIS_Daily).

  3. Set the CSM_OPS_DISCOVERABLE server property to true.

    Warning

    Note

    CSM_OPS_DISCOVERABLE is added automatically in the BMC Sever Automation server under the Job Property class when BMC Cloud Lifecycle Management starts up and connects to BMC Sever Automation.

    In other words, in a brownfield environment when you upgrade to BMC Cloud Lifecycle Management version 4.6, during startup, this property is created automatically.

    BL_console1.gif

    The selected compliance jobs show as compliance standards in BMC Cloud Lifecycle Management in the next scheduled update.

  4. (Optional) To enable compliance during provisioning, ensure that you select the Enable auto-discovery check box in BMC Server Automation for the specific compliance job that you selected when you set up the service blueprint.
Warning

Note

If you change the compliance content after the existing Compliance jobs are completed, the changed contents are not part of their respective templates and therefore, the BMC Server Automation administrator (BLAdmin) must manually add the new templates to the Compliance jobs and run the necessary Discovery jobs for the existing servers. The servers provisioned after adding the new templates are automatically discovered by using the new templates added to the respective jobs.

Back to top

Configuring compliance for third-party providers

Setting up compliance for platforms such as Azure, Amazon Web Services (AWS), and OpenStack starting from version 4.6.03 and later is similar to that for BMC Server Automation, which is an on-premises provider. For details on how to set compliance, see Creating, copying, or editing a service blueprint and Configuring compliance for multiple servers.

Prerequisites

Before you enable compliance for third-party providers, ensure that the following prerequisites are met:

  • RSCD agent is installed and running on the provisioned VM
  •   The provisioned VM is on a BMC Server Automation-accessible network so that the RSCD agent is accessible from BMC Server Automation when the Compliance Job is executed.
Warning

Note

The Compliance Job status does not show up in BMC Server Automation because the Compliance Jobs are queued up for execution. By design, Azure instance endpoints for RSCD cannot be opened simultaneously. The CloudService port forwarding logic opens up only one VM port at a time. As a workaround, you can use a VPN. In the Compliance Job, you can configure a start hook and an end hook where the port can be opened and closed respectively.

Back to top

Configuring compliance for a single server

If compliance is not configured at service definition time or compliance needs to be changed post provisioning, the cloud administrator can configure compliance using the My Cloud Services console or End User Portal (EUP).

Perform the following steps if you want to specify a compliance standard for a single server:   

  1. Navigate to My Cloud Services console > My Resources tab > Resource list.
  2. Click the hyperlink for the specific server as shown in the following figure:
    Selecting_specific_server.gif

  3. On the Server details page, click Configure Compliance as shown in the following figure:
    Configure_compliance_server_EUP2.gif

    Warning

    Note

    You can also perform steps 2 and 3 by selecting the check box to the left of the specific server, and then from the Actions section, selecting Configure ComplianceNote that the Actions section appears on specific column values depending on the context.

    Configure_compliance_server_EUP.gif

  4. On the Configure Compliance dialog box, in the Search Compliance Jobs field, specify a compliance job that must be run.
    Configure_compliance_dialog_box.gif

    Warning

    Note

    By default, compliance jobs are scheduled Daily, Weekly, or Monthly. Compliance is designed to be executed in compliance windows set by the BMC Sever Automation administrator. Compliance jobs are executed on schedules set by the BMC Sever Automation administrator.

    To schedule compliance jobs, the BMC Sever Automation administrator must perform the following tasks:

    1. Use the BMC BladeLogic Server Automation Console to log in to the BMC Sever Automation application server.
    2. Navigate to a specific job (for example, DISA_Weekly).
    3. Double-click the selected job and go to Schedule.
    4. Edit the existing schedule to set a value based on the organization's compliance window.

      BL_console2_job schedule.gif

    For details about setting compliance schedules in BMC Server Automation, see Compliance-Job-Scheduling.

  5. Click OK.
    Once compliance is configured, the compliance of your servers is displayed as shown in the following figure:

     

    Server_compliance_details.gif

  6. (Optional) Modify exiting compliance or add new compliance by clicking Add/Remove Jobs.

    Warning

    Note

    On the My Cloud Services console > My Resources tab > Compliance pane, the details for a selected server show only the last job run even if that server has multiple compliance jobs associated. For example, if the server has three jobs, the Compliance pane does not show the details for all the three jobs. It shows only one jobs' last run status details.

  7. (Optional) Clear the selected compliance standards from a server to remove any associated compliance.

    Warning

    Note

    If PCI compliance is set for a server, the discovery job creates a compliance component under the PCI template. However, if you change the compliance to DISA, a new component is created for this server under DISA, but the PCI component is not deleted.The earlier component (PCI) is harmless and remains in BMC Server Automation until the server is decommissioned. 

    Therefore, when the compliance standard for the server is changed, you must manually delete the discovery signature from BMC Server Automation. 

Back to top

Configuring compliance for multiple servers

The cloud administrator must select multiple servers to perform the following actions:


Adding the same compliance standard to several servers at a time 

The cloud administrator must perform the following steps to specify the same compliance standard for several servers at a time:

  1. Navigate to My Cloud Services console > My Resources tab > Resource list.
  2. Select one or more check boxes to the left of the servers list.
  1. Click the Actions menu.
    The Actions menu appears on specific column values depending on the context.
  2. Select Configure Compliance from the menu.
  3. On the Configure Compliance dialog box, in the Search Compliance Jobs field, specify a compliance job that must be run.
  4. Click OK.

Back to top

Changing the existing compliance standard on several servers at a time 

The cloud administrator must perform the following steps to modify the compliance standard for several servers at a time:

  1. Navigate to My Cloud Services console > My Resources tab > Resource list.
  2. Select one or more check boxes to the left of the servers list.
  1. Click the Actions menu.
    The Actions menu appears on specific column values depending on the context.
  2. Select Configure Compliance from the menu.
  3. On the Configure Compliance dialog box, under the Search Compliance Jobs field, clear the check box for the existing compliance job or specify an additional compliance job.
    In the following example, the same compliance jobs, PCI_Daily and HIPPA_Daily exist on all the selected servers:
    Modifying_existing_compliance_for_multiple_servers.gif

    In the following example, different compliance jobs, PCI_Daily and SOX_Daily exist on the selected servers:
    Modifying_existing_compliance_for_multiple_servers2.gif
  1. Click OK.

Back to top

Viewing the Activity Log when compliance is configured

After compliance is configured, cloud administrators can navigate to Cloud Services console > My Resources tab > Activity Log to view the progress or check if any failures have occurred during the process.

The following figure shows the Activity Log as soon as compliance is set:

Server_activity_log1.gif

The following figure shows the Activity Log when compliance configuration is in progress:

Server_activity_log2.gif

The following figure shows the Activity Log when compliance configuration is completed:
Server_activity_log4.gif

The following table lists the various activities that take place when you configure compliance for two servers shown in the preceding figure:

Activity

Description

Server - Server Activity

Main job triggered to configure compliance on both the servers

Server - byqcert-1

Compliance configuration job on the first server

Server - sant -1

Compliance configuration job on the second server

Service - Windows 2008 with Custom Inputs -1

Service affected owing to compliance configuration job on the first server

Service -  SantoshKamble - 1

Service affected owing to compliance configuration job on the second server

 

Back to top

Interpreting the compliance result

Cloud administrators, tenant administrators, or end users can view the compliance results displayed for each server as well as service. Compliance for a Server is a direct reflection of results fetched from BMC Server Automation. The compliance percentage for a server is calculated as the total number of successful rules/total rules.

For example, consider that a server has PCI and CIS configured with each having 100 rules. After both the PCI and CIS jobs run complete, let’s say that the total number of successful rules are 85 and 91 respectively. Then, the compliance percentage for the server is calculated as 176/200 = 88.00%.
Viewing_server_compliance.gif

In the case of a Service, the lowest compliance percentage attained by the server is displayed.

Viewing_service_compliance.gif

Icons in the COMPLIANCE RESULT column indicate the overall compliance for the servers on which compliance is configured. 

  • A green check mark compliant_icon.gifindicates that the server is COMPLIANT.
  • An orange check mark compliant_with_failures_icon.gifindicates that the server is COMPLIANT_WITH_FAILURES. You should monitor those failures and consider improvements to improve the overall compliance health.
  • A red check mark non_compliant_icon.gifindicates that the server is NON_COMPLIANT.
  • A grey check mark unknown_compliance_icon.gifindicates that the server compliance is UNKNOWN. BMC Cloud Lifecycle Management cannot determine the compliance for that server because the compliance job fails or has not yet run.

Interpreting the Server Compliance state (Server COMPLIANCE RESULT column in the EUP)

  • If all the jobs are in NOT_RUN state (-), the Server state will be NOT_RUN (-).
  • If one of the jobs is in COMPLIANT state and all the remaining are in NOT_RUN state, the Server state will be COMPLIANT.
  • If one of the jobs is in NON-COMPLIANT state, the Server state will be NON-COMPLIANT irrespective of other job states.
  • If one of the jobs is in UNKNOWN state, the Server state will be UNKNOWN.

Interpreting the Service Compliance state (Service COMPLIANCE RESULT column in the EUP)

  • If all the servers are in NOT_RUN state, the Service state will be NOT_RUN.
  • If one of the servers' state is COMPLIANT and all the remaining are in NOT_RUN state, the Service state will be COMPLIANT.
  • If one of the servers' state is in NON-COMPLIANT state, the Service state will be NON-COMPLIANT irrespective of other server states.
  • If one of the servers' state is UN KNOWN, the Service state will be UNKNOWN.

Interpreting the Server/Service Job state (COMPLIANCE JOB STATUS column in the EUP)

  • If all the jobs are in COMPLETED state, the COMPLIANCE JOB STATUS will be COMPLETED.
  • If one of the jobs is in NOT_RUN state and all the remaining are in COMPLETED state, the COMPLIANCE JOB STATUS will be CONFIGURED_NOT_RUN.
  • If one of the jobs is in FAILED state, the COMPLIANCE JOB STATUS will be FAILED irrespective of other server states.
Warning

Notes

The compliance result is computed by the number of rules that succeed and not by individual rules. Therefore, if a user has added the same rule multiple times in different qualify jobs, the compliance result will show collective rule failure.

When a compliance standards is associated to a server, two automated task are performed.

  • Adding the server to the specified smart group designed for the Compliance job
  • Running an internal Discovery job, which qualifies the server for a specific compliance template. If a failure occurs in the Discovery job, the compliance result for the server is not computed. The BMC Server Automation administrator must correct the anomalies, which are generally due to a mismatch such as a Windows 2008 template being validated for a server running Windows 2012 R2.

 

Back to top

Customizing configuration for compliance

The cloud administrator can set the compliance results interval and compliance threshold percentages by updating the following properties in the providers.json file.

  • BBSA_OPS_COMPLIANCE_RESULT_FETCH_INTERVAL: Specifies the interval in minutes after which the Platform Manager checks with BMC Server Automation for compliance results from the Compliance Jobs.
  • COMPLIANCE_PERCENTAGE_THRESHOLD_MAX: Specifies the compliance limit in terms of percentage. Percentage values equal to and greater than this specified value are considered to be COMPLIANT.
  • COMPLIANCE_PERCENTAGE_THRESHOLD_MIN: Specifies the compliance limit in terms of percentage.
    • Percentage values equal to and greater than this specified value but less than COMPLIANCE_PERCENTAGE_THRESHOLD_MAX are considered to be COMPLIANT_WITH_FAILURES. 

    • Percentage values less than this specified value are considered to be NON_COMPLIANT.

      The [expand] macro is a standalone macro and it cannot be used inline.
      The following figure shows compliance thresholds pictorially:
      Compliance_thresholds.gif


Back to top

Decommisioning compliance

The cloud administrator must perform the following steps to decommission the compliance jobs for several servers at a time:

  1. Navigate to My Cloud Services console > My Resources tab > Resource list.
  2. Select one or more check boxes to the left of the servers list.
  1. Click the Actions menu.
    The Actions menu appears on specific column values depending on the context.
  2. Select Configure Compliance from the menu.
  3. On the Configure Compliance dialog box, under the Search Compliance Jobs field, clear the check box for the existing compliance jobs.
  4. Click OK.

Back to top


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Cloud Lifecycle Management 4.6