Configuration roadmap for continuous compliance for servers

Tip

Click here to create a PDF of this topic.

This topic provides a high-level description of the configuration tasks required to implement the BMC Continuous Compliance for Servers solution, part of Compliance Automation. Prior to configuring the solution, ensure that you have completed the installation tasks described in Installation-roadmap-for-continuous-compliance-for-servers.

The following sections describe the configuration tasks that are required to implement the Continuous Compliance for Servers workflows, and provides pointers to publications with detailed instructions:

Step 1: Configure a grid

After the BMC Atrium Orchestrator platform components are installed and running, configure a grid. The grid distributes information across the BMC Atrium Orchestrator components. See Managing-grids in the BMC Atrium Orchestrator online documentation.

Step 2: Verify logon account IDs

Verify that you have a BMC Remedy ITSM administrative logon ID. During the BMC Continuous Compliance for Server Automation solution installation, this account is used to export the ITSM templates.

Step 3: Configure BMC Remedy ITSM

In BMC Remedy ITSM, do the following:

 Task

 Description

Configure group auto assignments for change tickets

  1. From the BMC Remedy IT Home window, click Application Administration Console.
  2. On the Application Administration Console, click the Custom Configuration tab and select Foundation > Configure Assignment > Configure Application Assignment to open the Configure Application Assignment window.
  3. From the Event Details menu, select Infrastructure Change Manager, and select a status of Enabled.
  4. In the Assignment section, select Support Company, Support Organization, and Assigned Group.
  5. In the Routing Order section, select Contact Company and Company, and complete the optional fields with appropriate values.
  6. Check Yes for Change Management and for Available Systems.
  7. Click Save and Close.
  8. Repeat step 1 through step 7, however in step 3, select Infrastructure Change coordinator from the Event Details menu.

Configure group auto assignments for incidents

  1. From the BMC Remedy AR System IT Home window, click the Application Administration Console.
  2. On the Application Administration Console, click Custom Configuration tab and open Configure Application Assignment window.
  3. From the Event Details menu, select Incident Owner, and select Enabled as the status.
  4. In the Assignment section, select the Support Company, Support Organization, and Assigned Group.
  5. In the Routing Order section, select Contact Company and Company, and complete the optional fields with appropriate values.
  6. From the Available Systems section, check Yes for Incident Management, User Service Restoration, User Service Request, Infrastructure Restoration, and Infrastructure Event.
  7. Click Save and Close.

Review and verify the BMC Remedy artifacts

Prior to configuring BMC Remedy ITSM, you must use the Content Installer to install the BMC Remedy artifacts.

When you run the installer, you select values for the key fields to customize the pre-configured BMC Remedy artifacts required by the solution. For descriptions of the artifacts, see BMC Remedy artifacts. For installations requiring a custom solution, or to complete the ITSM configuration, use the BMC Remedy ITSM Application Administration Console to create and configure a new company, create a template, or modify existing templates.

Warning: When changing template settings, BMC recommends backing up the default templates modifying the template values. Do not change the default user group BMC Server Automation role. Changing the user group role causes the system to fail to perform as expected.

To customize BMC Remedy ITSM templates, complete the following steps:

  1. From the BMC Remedy IT Service Management Application Administration Console, select Custom Configuration > Change Management System > Template > Template.
  2. Double-click Template, then select the template to modify.
  3. Click View, and then change the template values as required.
  4. When you have finished modifying the template, click Save.

For details about the BMC Remedy artifacts, see Artifact-and-configuration-reference-for-Continuous-Compliance-for-Server-Automation.

Back to top

Step 4: Export and enable the required adapters

In BMC Atrium Orchestrator, use Grid Manager to complete the configuration of the following required adapters:

  • BMC Remedy AR System application adapter
  • BMC Remedy Monitor adapter
  • BMC Atrium Orchestrator BladeLogic Operations Manager adapter
  • BMC Atrium CMDB adapter
  • SNMP Monitor adapter
  • File adapter
  • Web Services adapter 

For details on configuring these adapters for the solution, see Configuring-adapters-for-the-Continuous-Compliance-for-Server-Automation-solution.

Step 5: Configure the connection between BMC Server Automation and BMC Atrium Orchestrator

Through the BMC Server Automation Console, you must add the configuration information required to connect to BMC Atrium Orchestrator.

Task

Description

Configure job approval for job types

The Approval Configuration option enables you to configure whether or not jobs of a given type require BMC Remedy ITSM approval. By default, the approval for each supported job type is turned off. 

To enable or disable the BMC Remedy ITSM job approval capability at the job type level, perform the following steps:

  1. From the BMC Server Automation Console, select Configuration > Approval Configuration.
  2. On the Job Approval Required Configuration dialog, set the Approval Required option for each available job type.
  3. Click OK.

All job types with Yes specified for the Approval Required option require that you complete the Approval tab information in the job wizard.

Assign job approval permissions

Use this procedure to assign permissions to different Continuous Compliance for Server Automation users for integrating job execution with BMC Remedy ITSM.

Assign the appropriate approval type to each user role. When that user logs on, only the job approval type assigned for the user role is listed when running the job wizard.

  1. In the RBAC Manager workspace of the BMC Server Automation Console, select Roles.
  2. Right-click a role and select Open.
  3. On the General tab, click the Systems sub-tab.
  4. To enable specific BMC Remedy ITSM job approval permissions to users with this role, choose and assign the relevant combination of authorizations from the ApprovalType.* family of authorizations.
    1. Select any of the following authorizations in the the Available Authorizations list. Use Shift-click or Control-click to select multiple items.
      • ApprovalType.Automatic
      • ApprovalType.Manual
      • ApprovalType.Emergency
      • ApprovalType.NoApproval
    2. Click the right arrow to move your selections to the Selected Authorizations list.
      For example, you might create a role for junior operators that has only Manual permission, ensuring that any jobs that they initiate are reviewed and approved by BMC Remedy ITSM before execution. By default, the BLAdmins Role has all approval permissions.
  5. Save the role.

Set up the connection to BMC Atrium Orchestrator

Using the BMC Server Automation Console, you must add the configuration information required to connect to BMC Atrium Orchestrator.

The integration between BMC Continuous Compliance for Server Automation and BMC Atrium Orchestrator supports connections to a single grid only. The connection with BMC Atrium Orchestrator is established through the CDP or through a high availability CDP (HACDP). Other types of peers are not supported.

  1. From the BMC Server Automation Console, ensure that your role is granted the AOConfig.* and the AutomationPrincipal.* authorizations.
  2. Select Configuration > AO Configuration.
  3.  On the AO Configuration dialog box, click Add.
  4.  On the Add new AO configuration dialog box, enter the configuration information required to connect to BMC Atrium Orchestrator, and then click OK.
    • Host - IP address or fully-qualified host name of the BMC Atrium Orchestrator CDP server.
    • Port - Port number used to connect to the BMC Atrium Orchestrator CDP.
    • Grid Name - Name defined for the BMC Atrium Orchestrator grid. Specify the name of a grid only if this is the first defined CDP connection.
      For additional CDP connections (see step 4), this field is read-only, as all defined connections must be on the same grid.
    • User Name - Name of the BMC Atrium Orchestrator user used to log on to the CDP. This user must be associated with the ADMIN role in BMC Atrium Orchestrator.
    • Password - BMC Atrium Orchestrator password for the specified user.
    • Time-out - Amount of time, in seconds, before a BMC Continuous Compliance for Server Automation job that connects to BMC Atrium Orchestrator times out.
      The default is 300 seconds (5 minutes).
    • Primary AO - Specifies this CDP as the primary instance. In a high-availability environment with multiple CDP instances, ensure that you select the correct CDP, as defined in BMC Atrium Orchestrator.
    • SSL enabled? - Specifies if the connection to the CDP is SSL-enabled and based on an HTTPS connection (as described in Enabling HTTPS support for the BMC Atrium Orchestrator connection).
  5. To test if you can connect to the CDP using the host, port, grid name, user name, and password details that you specified, click Check Connection.
  6. To add additional CDP connections to BMC Atrium Orchestrator to ensure high availability, repeat step 2 and step 3 for each additional CDP instance of the same grid.
    If you define multiple BMC Atrium Orchestrator CDP instances, ensure that only one of your CDPs is set as the primary instance (using the Primary AO check box). Multiple CDPs installed on a grid form a High Availability (HACDP) environment and allow communication to continue even if a connection with one CDP fails.
  7. In the AO Configuration dialog box, click OK to save your changes and close the dialog box.

Enable HTTPS support on BMC Atrium Orchestrator

To secure the communication of data between BMC Continuous Compliance for Server Automation and BMC Atrium Orchestrator, you must enable an HTTPS connection on both products.

Note: The required steps vary, based on the decisions that you made regarding the BMC Atrium Orchestrator version during its installation. If you are using BMC Atrium Orchestrator 7.6, complete the steps below. If you are using BMC Atrium Orchestrator 7.7, the required actions depend on whether HTTPS was left enabled (the default option) during the installation. 

Click here for more information, if you are using Atrium Orchestrator 7.7.

You can verify that HTTPS support is enabled by checking the Apache Tomcat server's server.xml file and looking for the following line: 
Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

 

  1. On the system where the BMC Atrium Orchestrator CDP is installed, create the keystore file by entering a command such as the following example:
    keytool -genkey -alias w2k3-sp-vm5 -dname "cn=w2k3-sp-vm5"
    -keyalg RSA -keystore C:\.keystore -storepass changeit
    The value entered for the -dname option must match the host name where the BMC Atrium Orchestrator CDP is installed. In this example, the value is w2k3-sp-vm5.

  2. Enable HTTPS on an Apache Tomcat server by completing the following steps:

    1. Open the server.xml file.

    2. Uncomment the following block of configuration information 

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
      maxThreads="150" scheme="https" secure="true" 
      clientAuth="false" sslProtocol="TLS" keystoreFile="C:\.keystore" truststoreFile=
      "C:\Program Files\Java\jdk1.5.0_13\jre\lib\security\cacerts" />

    3. Add two attributes as follows:
    • The keystoreFile attribute to point to the location where the keystore file resides.
    • The truststoreFile attribute to point to the CA-issued certs in the JDK installation location.
  3. Restart the BMC Atrium Orchestrator CDP.

Enable HTTPS support for BMC Atrium Orchestrator on BMC Server Automation

  1. If BMC Atrium Orchestrator is installed on a different computer, copy the C:\.keystore file from the BMC Atrium Orchestrator CDP system to the system where the BMC Server Automation Application Server is installed.

  2. On the Application Server, export the public certificate from the keystore file generated for BMC Atrium Orchestrator to a temporary file by entering a command such as the following example:

    keytool -export - alias w2k3-sp-vm5
    - file C:\cert.csr -keystore C:\. keystore
    -storepass changeit

    In the command shown above, note the following:

    • file is the name and location of the certificate file that will be created from this command.
    • keystore is the keystore file name and location that you created for BMC Atrium Orchestrator.
    • alias is the name used to distinguish certificates.

  3. Add the public certificate from the temporary file to the trusted certificate file by entering a command such as the following example:

    keytool \-import \-alias w2k3-sp-vm5 \-file C:\cert.csr
    \-keystore "<keystorePath>"\-keypass changeit

    where <keystorePath>is one of the following, depending on operating system:

    • (Linux) — For a Linux Application Server use 
      <installationDirectory>/NSH/br/java/lib/security/cacerts 
      (for example /opt/bmc/bladelogic /NSH/br/java/lib/security/cacerts) to install certificates.
    • (Windows) — For a Windows Application Server, refer to the path shown in the registry value for 
      SOFTWARE>BladeLogic> Operations Manager >
      Application Server>-Djava.home      .
      Within this path, look for the lib/security/cacerts directory.
      This is the directory into which you install the certificates.

  4. To check if the certificate is added to the cacerts file, enter the following command:

    keytool \-list \-keystore <keystorePath>

  5. Restart the BMC Server Automation Application Server.

Back to top

Step 6: Activate and configure the required modules using Grid Manager

Before you can use the BMC Continuous Compliance for Server Automation solution, ensure that the modules are properly integrated to work with the BMC Remedy ITSM system by activating the modules on the grid.

To activate modules on the grid:

  1. Using Grid Manager, select Manage > Modules.
  2. From the Modules in Repository list, select the modules required for the run book (shown in the list below), and then click Activate.
    1. AMP-AD-BMC-Remedy-ARS
    2. AutoPilot-AD-BMC_Atrium_CMDB
    3. AutoPilot-AD-Utilities
    4. AutoPilot-OA-Change_Management
    5. AutoPilot-OA-Common_Utilities
    6. AutoPilot-OA-Configuration_Management
    7. AutoPilot-OA-Incident_Management
    8. AutoPilot-OA-Task_Management
    9. BMC_BladeLogic-AD-Operations_Manager
    10. BladeLogic-SA-ITSM_Integration
    11. Closed_Loop_Server-SA-Audit
    12. Closed_Loop_Compliance-SA-Servers
    13. Closed_Loop_Compliance_ITSM_Integration
    14. Server_Incident-SA-Enrichment

You must configure the modules. For details on how to perform this task, see Updating-module-configuration-for-Continuous-Compliance-for-Server-Automation

If you modify the modules, you must export them to the repository to make the updated modules are available on the grid. Using the Import and Unbundle function in BMC Atrium Orchestrator Development Studio, export the modules to the repository. If you import the modules directly from a local disk, they are not available to peers until you export them to the repository. For more information about exporting modules to a repository, see Administering in the BMC Atrium Orchestrator online documentation.

Step 7: Configure BMC Server Automation templates and jobs for the solution

To use the BMC Continuous Compliance for Server Automation solution you must create the following items in the BMC Server Automation system, according to the use cases you want to implement.

To learn more about audit and compliance in BMC Server Automation, click here.

BMC Server Automation provides powerful compliance and audit analysis tools. The following table provides an overview of the compliance and audit analysis capabilities.

Topic

Description and more information

Compliance

Compliance analysis and remediation are performed based on BMC Server Automation components and component templates. Component templates contain the relevant compliance rules that you want your servers to adhere to, and components encapsulate just the right amount of server configuration to render your Compliance Jobs simple yet powerful.

  • To analyze operational compliance, you create custom component templates that contain the compliance rules for your internal corporate policies. Operational compliance involves tracking the properties of operating system objects, such as files, configurations, user accounts, or services.
  • To analyze regulatory compliance or security compliance, you use the prebuilt component templates offered by BMC. These templates facilitate compliance analysis when you must adhere to an industry-defined compliance policy, such as CIS, DISA, HIPAA, PCI, or SOX.
  • For additional information about building your compliance templates, see Working with components and component templates in the BMC Server Automation online technical documentation.

Audit

Using Audit Jobs, you can:

  • Compare components, servers, or snapshots to determine if their configurations match a standard configuration.
  • Identify discrepancies between server configurations. When you identify discrepancies, you can bundle the necessary changes into a BLPackage and deploy those changes to a server so its configuration matches the standard configuration.
  • Perform a security function by quickly identifying unauthorized changes to server configurations.
  • Determine if a server configurations match a standard configuration. For more information about defining Audit Jobs, see Creating Audit Jobs in the BMC Server Automation online technical documentation.

Audit requirement

Performing an audit requires you to identify a master--that is, a server with a standard configuration that is used as the basis of comparison. The procedure for identifying a master depends on how you define an Audit Job.

  • If you define an Audit Job by selecting live server objects, you must select a server or a snapshot as the master server.
  • If you define an Audit Job by selecting one or more component templates, you must select one or more components or snapshots that act as a master.

Task

Description

Create new job properties

For the Closed Loop Server Audit and Closed Loop Server Compliance modules, you must add job properties for Batch and Deploy Job system objects in BMC Server Automation, as follows:

  1. From the Configuration menu, access the BMC Server Automation Console and select Property Dictionary View.
  2. Under Built-in Property Classes, expand the Jobs folder.
  3. Select the Batch Job system object.
  4. Click the Add New Property icon to add the CHANGE TICKET ID property.
  5. In the Add Property window:
    1. In the Name filed, enter CHANGE TICKET ID
      This property is used by the Closed Loop Server Audit module and Closed Loop Server Compliance module.
    2. Under Type, click Simple and select String.
    3. Click OK.
  6. Click the Add New Property icon to add the COMPLIANCE JOB NAME property.
  7. In the Add Property window:
    1. In the Name filed, enter COMPLIANCE JOB NAME.
      This property is used by the Closed Loop Server Compliance module. 
    2. Under Type, click Simple and select String.
    3. Click OK.
  8. Repeat the procedure for the Deploy Job system object.

Create an Audit component template

To create an audit component template

  1. Open the BMC Server Automation Console and select the Component Template workspace.
  2. Right-click a component templates folder, and select New > Component Template from the menu.
  3. In the Create New Component Template wizard, in the Create New Component Template (General) window:
    1. Provide a name, description and version (if applicable).
    2. In the Allowed Operations section, select DiscoverBrowseSnapshot, and Audit.
    3. Click Next.
  4. In the Create New Component Template (Parts) window:
    1. Click the plus (+ ) sign to add parts to the template.
    2. Select one or more parts from the following objects:
      Servers
      Snapshot Jobs
      Local Config Files
      Local Extended Objects
      Local Server Objects
    3. Click OK to close the Add Part window. You can customize your preferences for each part by clicking the part. The preferences for the selected part appear in the Options section. Select or clear options as needed. Depending on the part selected, you might not have any options associated with that part.
    4. Click Next.
  5. In the Create New Component Template (Properties) window:
    1. Confirm that the component template properties you have selected are correct. To make changes, click Back to return to the previous step.
    2. Click Next.
  6. In the Create New Component Template (Permissions) window, click Finish. This window provides information about the access control list.

Create an Audit Job

The following are the requirements for creating the Audit Jobs used by the Closed Loop Server Audit module:

  • Component templates with identical names cannot be used in the same Audit Job.
  • The Audit Job must be configured to send SNMP traps for Job Run Notifications and not Audit Results Notifications. The Audit Job run notifications are sent when an Audit Job run is successful, fails, or is aborted.
  • The Send SNMP Trap to setting must be sent to the server name or IP address of your BMC Atrium Orchestrator CDP server. However, the verification job must not send out a job completion notification.

To create the Audit Job:

  1. Start the BMC Server Automation Console, and select the Jobs workspace.

  2. Right-click the Jobs folder and select New > Job Folder to add a new job folder Audit Jobs. You can also use an existing folder to create the Audit Jobs.

    Note

    Ensure that the job folder locations match the location specified in the Closed Loop Server Audit module job group configuration items (Remediation_Job_Group) described in Updating run book module configurations.


  3. Select the Component Template workspace and select one audit template.
  4. Right-click the template and select Discover.
  5. In the New Component Discovery Job window, provide a job name, and Save in folder details and click Next.
  6. Specify the template, the target servers, and default notifications on the following wizard pages.
  7. On the Schedules page, select Execute Job Now and click Finish.
  8. After the Discovery Job executes successfully, select the Jobs workspace.
  9. Select the Audit Job folder, right-click and select New > Audit Job.

  10. In the New Audit Jobs (General) window:

    1. Provide a name and description for the Audit Job.
    2. Select a folder location to save the Audit Job.
    3. Under Select Audit Job Type, select Audit components.
    4. Under Number of Targets to Process in Parallel, select one of the following options:

      • Select Unlimited to run the job on as many targets as possible simultaneously.
      • Select Limited and specify a number in the field to the right. That number sets the maximum number of targets on which the job can run simultaneously.
    1. Click Next.
  11.  In the New Audit Jobs (Component Templates for Filtering) window:
    1. Select the component template that you used in step 3 for Audit Jobs.
    2. To add the selected template, use the > arrow button .
    3. Click Next.
  12. In the New Audit Jobs (Masters) window:
    1. Select the component of the Master server.
    2. Click Next.
  13. In the New Audit Jobs (Targets) window:
    1. Select the target server on which you want to execute the Audit Job.
    2. To add the selected target, use the > arrow button.
    3. Click Next.
  14. In the New Audit Jobs (Default Notification) window:
    1. Under Job Run Notifications, select Send SNMP trap to and enter the server name or IP address of your BMC Atrium Orchestrator CDP server. The server that you enter must be a BMC Atrium Orchestrator CDP server with an SNMP Monitor adapter enabled.
    2. For the When status is option, select SuccessFailed, and Aborted.
    3. Click Next.
  15. In the New Audit Jobs (Schedules) window:
    1. Select Execute job now or click the add icon (+ ) to set a schedule.
    2. To add a schedule, click the Schedule tab and select an option for scheduling the Audit Job run.
    3. Click OK.
    4. Click Next. (If you are not modifying default permissions, you can click Finish.)
  16. In the New Audit Jobs (Properties) window:
    1. Confirm the properties you have selected. To make changes, click Back to return to the previous step.
    2. Click Next.
  17. In the New Audit Jobs (Permissions) window:
    1. Confirm the information about your access control list.
    2. Click Finish. The Audit Job is created.

To create the Audit verification job

For each Audit Job you create, you must also create a corresponding Audit verification job that is used to verify the remediation job results. This Audit Job is used for the Verify Audit Discrepancies after Remediation workflow.

  1. Start the BMC Server Automation Console, and select the Jobs workspace.
  2. In the Audit folder, right-click the Audit Job you just created and select Copy.
  3. Paste the job into the Audit folder, and open the copied job file.
  4. On the General tab, rename the Copy of jobname file, adding the word Verify after the original Audit Job name. For example, if the name of the Audit Job is AuditJob, the audit verification file name must be AuditJobVerify.
  5. On the Default Notifications tab, remove all of the SNMP Job Run Notification settings.
  6. Save and close the audit verification job.

Create a Compliance component template

To create a compliance component template, complete the following steps:

  1. Open the BMC Server Automation Console and select the Component Template folder.
  2. Right-click a component templates folder, and select New > Component Template from the pop-up menu.
  3. In the Create New Component Template wizard, on the Create New Component Template (General) window:
    1. Provide a name, description and version (if applicable).
    2. In the Allowed Operations section, select DiscoverBrowseSnapshot, AuditCompliance, and Allow Auto-remediation (the Allow Remediation option is checked automatically).
    3. Click Next.
  4. In the Create New Component Template (Parts) window:
    1. Click the plus (+ ) sign to add parts to the template.
    2. Select one or more parts from the following objects:
      Servers
      Snapshot Jobs
      Local Config Files
      Local Extended Objects
      Local Server Objects
    3. Click OK to close the Add Part window. You can customize the preferences for each part by clicking the part. The preferences for the selected part appear in the Options section. Select or clear options as needed. Depending on what you select, there might not be any options associated with that part.
    4. Click Next.
  5. In the Create New Component Template (Properties) window:
    1. Confirm that the component template properties you have selected are correct. To make changes, click Back to return to the previous step.
    2. Click Next.
  6. In the Create New Component Template (Permissions) window, click Finish. Information about the access control list appears.
  7. To add a compliance rule for the template:
    1. Right-click the new component template and select Open.
    2. Select the Compliance tab.
    3. Do one of the following: 
      1. To add a new compliance rule, click Add New Compliance Rule g_V95_AddComplianceRuleIcon.gif.
      2. To edit an existing compliance rule, select the rule and click Edit Selected Item g_V95_UpdateIcon.gif
        The Compliance Rule Editor panel opens.
    4. Define (or edit) the compliance rule through the tabs that appear at the bottom of the Compliance Rule Editor panel, according to the compliance rules for your internal corporate policies. For examples for adding compliance rules, see Examples for creating compliance rules in the BMC Server Automation online technical documentation.
    5. Click Save g_v95_saverules.gif after you have finished defining the rule.
  8. Switch back to the component template editor and click Save to save the component template.

Create a Compliance Job

  1. Start the BMC Server Automation Console, and select the Jobs workspace.

  2. Right-click the Jobs folder and select New > Job Folder to add a new job folder for Compliance Jobs. You can also use an existing folder to create the Compliance Jobs.

    Note

    Ensure that the job folder locations match the location specified in the Closed_Loop_Compliance-SA-Servers module job group configuration items (Remediation_Job_Group) described in Updating run book module configurations.


  3. Select the Component Template workspace and select one compliance template.
  4. Right-click and select Discover.
  5. In the New Component Discovery Job window, provide a name for the job and a location in the Save in folder field, and click Next.
  6. Specify the template, the target servers, and default notifications on the subsequent wizard pages.
  7. On the Schedules page, select Execute Job Now and click Finish.
  8. After the discovery job executes successfully, select the Jobs workspace.
  9. Select the Compliance Job folder, right-click, and select New > Compliance Job.
  10. In the New Compliance Jobs (General) window:
    1. Provide a name and description for the Compliance Job.
    2. Select the folder where you want to save the Compliance Job.
    3. Under Number of Targets to Process in Parallel, select Unlimited to run the job on as many targets as possible simultaneously.
    4. Click Next.
  11. In the New Compliance Jobs (Component Templates for Filtering) window:
    1. Select the component templates that form the basis of the Compliance Job.
      Note: For the template to appear on this panel, Compliance operations must be enabled for the template. If the template does not appear, open the template and select the Compliance check box on the General tab. For remediation settings to be enabled (in a subsequent step), select also the Allow Remediation and the Allow Auto-Remediation check boxes.
    2. Use the > arrow button to add the selected template.
    3. Click Next.
  12. In the New Compliance Jobs (Components) window:
    1. Select the servers on which you want to run the Compliance Job.
    2. Click Next.
  13. In the New Compliance Jobs (Auto-remediation) window:
    1. Select the Remediate after compliance analysis completes option to enable automatic remediation of any compliance rule failures that the Compliance Job discovers.
      Note: For this option to be available, the Allow Remediation and the Allow Auto-Remediation check boxes must be selected on the General tab of the component template (see Step 11 (a) for details).
    2. In the Remediation name field, enter a name for the remediation package.
    3. In the Save package in field, select a folder in which to save the remediation package (provided that you already associated a remediation package with the relevant rule, within rule definitions).
    4. In the Save remediation/deploy job in field, select a folder in which to save the Deploy Job for the remediation package.
    5. Click Next.
  14. In the New Compliance Jobs (Default Notification) window:
    1. Under Job Run Notifications, select Send SNMP trap to and enter the server name or IP address of your BMC Atrium Orchestrator CDP server. The server that you enter must be a BMC Atrium Orchestrator CDP server with an SNMP Monitor adapter enabled.
    2. For the When status is option, select SuccessFailed, and Aborted.
    3. Click Next.
  15. In the New Compliance Jobs (Schedules) window, click Next to bypass the Schedules window.
  16. In the New Compliance Jobs (Properties) window, click Next to bypass the Properties window.
  17. In the New Compliance Jobs (Permissions) window, click Finish. The Compliance Job is created.
  18. To run the Compliance Job, right-click the job and select Execute

For an example procedure to create a Compliance Job, see Example procedure for creating a Compliance Job in the BMC Server Automation online technical documentation.

After the job completes, BMC Server Automation sends an SNMP trap for each inconsistent server-rule combination.

To create the Compliance verification job

  1. Start the BMC Server Automation Console, and select the Jobs workspace.
  2. In the Compliance folder, right-click the Compliance Job you created and select Copy.
  3. Paste the job into the Compliance folder, and open the copied job file.
  4. On the General tab, rename the Copy of jobname file, adding the word Verify after the original Compliance Job name. For example, if the name of the Compliance Job is ComplianceJob, the compliance verification file name must be ComplianceJobVerify.
  5. On the Default Notifications tab, remove all of the SNMP Job Run Notification settings.
  6. Save and close the compliance verification job.

Create a Compliance remediation Job

A remediation job consists of an instruction set and files required for implementing configuration changes. Configuration changes can consist of additions, deletions, and modifications to any of the server objects. 

Schedule the start date to:

  • Remediate a discrepancy or violation in BMC Remedy ITSM while approving the change request.
  • Schedule the BMC Server Automation remediation jobs.

For additional information, see About remediation packages and remediation jobs in the BMC Server Automation online documentation.

Only one package can exist for each rule in the Compliance component template. There might be some rules in the template that do not have an associated package.

  1. Start BMC Server Automation Console, and select the Depot workspace.
  2. Right-click the Depot folder and select New > BLPackage.
  3. In the Create BLPackage (Package Type) window:
    1. Type a name for the package.
    2. For the Save in field, click the Browse button and navigate to the Depot folder where you want to save the package.
    3. In the Create Package From section, select a method for creating a package, depending on your requirements.
    4. Click Next.
  4. In the Create BLPackage (Components) window:
    1. Click the add icon (+ ) to add one or more components to the remediation package.
    2. Select the components and click OK.
    3. Click Next.
  5. In the Create BLPackage (Package Options) window:
    1. Under the Depot Asset Options, check or uncheck Soft linked. By soft-linking the contents of a BLPackage, you can change the software or server objects referenced by the BLPackage without updating the BLPackage definition. Soft linking is only available for assets stored in the Depot.
    2. Under File Options, check any of the options of characteristics to control how files are managed when a BLPackage is created.
    3. Under Registry Options, check Collect access control list (ACL) attributes to instruct the BLPackage to gather ACLs for Windows registry entries. This option is available only if you are packaging registry information.
    4. Under Patch Package Options, check Include dependent packages to instruct the BLPackage to gather any patches that are prerequisites for the patches you have included in this BLPackage. 
      The BLPackage sequences patches according to their dependencies. This option is available only if you are packaging patches.
    5. Click Next.
  6. In the Create BLPackage (Properties) window, click Next.
  7. In the Create BLPackage (Permissions) window, click Finish to create the remediation package.

For more information about deploying the BLPackage, see Creating and modifying Software and BLPackage Deploy Jobs and Creating a Deploy Job in the BMC Server Automation online documentation.

Back to top

Where to go from here

After you have installed and configured the BMC Continuous Compliance for Server Automation solution, you can execute the Continuous Compliance for Servers use cases.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*