Example of checking servers for PCI compliance

Select Create Operation > Compliance.

The Create Compliance Operation wizard opens.

1. For Name, enter a name for the operation, such as PCI Compliance Check.
2. For Security Group, select the role under which you are creating the operation.
   If you are assigned to only one role, this option defaults to that role. No selection is necessary.

1. Click Next.
   The wizard displays the Content window. This window lets you select a component template or Compliance Job that has already been defined in BMC Server Automation. In this demonstration we are going to select a component template.
2. Click the Search tab. 
3. At left, click Template to limit a search to templates.
4. In the search box, enter a text string that identifies the template and click the search icon . For this example, we enter PCI.
5. A list shows all component templates with names or other information that include the text string.
6. Select the template you want to use for provisioning. (We select PCI V3 for Windows webserver.)
   When you select a template, the system prompts you to choose a job folder in BMC Server Automation where an automatically created job should be stored. If a default job folder is already defined for your site or security group, you are not prompted for this information. 
7. If you are prompted for a job folder, select one and click OK.

1. Click Next to display the Targets window. Use this page to search or browse for targets.
2. At left, click Server to limit a search to servers.
3. In the search box, enter a text string that identifies servers and click the search icon . For this example, we enter www.
   A list shows all servers with names or other information displayed onscreen that includes the text string you entered.
4. From that list, select the servers that should be the targets of the operation. In this example we select only one target server.

Click Execute Now.

The wizard closes. The operation appears on the home page and begins to run.

When the operation completes, click View Results.

Operations with many compliance rules and multiple targets can take many minutes to complete.

The results page opens. It has five tabs, one for viewing results by target and another for viewing results by rule. A third tab shows log messages. Another tab shows exceptions you can set to compliance rules and the last tab is used for remediation (the term BSA uses for correcting problems detected during compliance operations). We'll come back to the Exceptions and Remediation tabs later.

The pie chart at top left shows you the percentage of compliant targets. In this case there is only one target and it is non-compliant.

When viewing results on the Targets tab, select a target in the list at left. The list at right shows the status of all compliance rules evaluated for that target.

This operation evaluated 42 rules. The PCI compliance templates that BMC provides as "compliance content" evaluate many more rules. For the purposes of this demonstration, we have created a simple example with a smaller number of compliance rules.

In the list at right, filter the display to show only non-compliant rules by using the drop-down list to select Non-compliant. Notice that the list now says it is showing four rules, filtered from 42.

Click the Rule Results tab to show results of the operation by rule rather than by server. At the top of the rules list, select Non-compliant to show only non-compliant rules.

Notice that the pie chart at top left has changed from how it appeared for the Targets tab. Now that we are viewing results by rule, the pie chart shows the operation is 90.5% compliant.

You can create temporary or permanent exceptions to compliance rules. In this step we create a temporary exception because we know there is a utility that periodically attempts to access our target webserver. Thus the first rule that limits repeated attempts to access the server is not applicable.

1. For the first rule, click the Actions icon and select Set Exception. A dialog asks for information.
2. Provide a name for the exception and specify its expiration date, if the exception is temporary. All other information on the dialog is optional.
3. Click Set.

The Exceptions tab now shows there is an exception defined.

Exception dialog

Contents of the Exceptions tab

If the component template used for this Compliance operation is set up so it allows you to correct problems (BladeLogic calls this remediation), you can attempt to remediate one or more target servers.

1. Select the Actions menu at the top of the list at left and select Remediate All Rules.
   A dialog asks you to identify a job group and a depot group in BSA. Automatically created remediation objects are stored in those locations.
2. Identify a job group and a depot group.
3. Click Execute.
   
   

The Remediation Operations tab now shows there is a remediation operation.

On the Remediation Operations tab, click the Execute icon. After the system prompts for confirmation, the operation begins to run.

When the operation completes, click View Results to see the results of the remediation operation. Results show the job was successful.

Return to the home page. Find the Compliance operation you defined earlier and run it again by clicking the Execute icon.

The Execute Operation dialog asks you to choose the targets where you want the operation to run. In our example there is only one server, so we just click Execute.

When the operation completes, click View Results. The Targets tab shows the targets are 100 percent compliant.