Walkthrough: Checking servers for SCAP compliance

This topic walks you through the process of using BladeLogic Portal to run a Compliance operation to determine how well servers adhere to the Security Content Automation Protocol (SCAP). This topic includes the following sections:

Introduction
What is SCAP compliance?
What do I need to get started?
How to check servers for SCAP compliance
Wrapping it up
Where to go from here

Introduction

This topic is intended for system administrators. The goal of this topic is to run a Compliance operation to check servers for SCAP compliance.

What is SCAP compliance?

An SCAP Compliance operation measures whether servers adhere to a set of accepted data center security standards called SCAP.

To create an SCAP Compliance operation, you must identify an SCAP Compliance Job that was defined in BMC Server Automation .

You can view SCAP Compliance operation results just like a standard Compliance operation. Results are organized by both target and compliance rule. However, unlike other Compliance operations, there are no built-in remediation options.

SCAP Compliance operation results provide various types of reports . Often these reports are used as input for other automated processes. Most SCAP reports must be exported using an XML format. However, some exports include an XSL file, which allows them to be read easily by humans.

What do I need to get started?

For this walkthrough, you need an account to access BladeLogic Portal. The account must have the necessary permissions to perform a Compliance operation.
To run an SCAP Compliance operation, an SCAP Compliance job must be set up in BMC BladeLogic Server Automation. To export results of the operation, the SCAP Compliance job must be run in Certification Mode, which retains certain files and results that are required by the SCAP analyzer. See here for more information on prerequisites for running SCAP Compliance Jobs in BMC Server Automation.

How to check servers for SCAP compliance

	Step	Example
1	Select Create Operation > Compliance. The Create Compliance Operation wizard opens.
2	For Name, enter a name for the operation. For Security Group, select the role under which you are creating the operation. If you are assigned to only one role, this option defaults to that role and you cannot edit this option
3	Click Next. The wizard displays the Content window. This window lets you select an SCAP Compliance Job that has already been defined in BMC Server Automation. At left, click SCAP Compliance Job to limit the search we are going to perform to SCAP Compliance Jobs. Click the Search tab. In the Search Content box, enter a text string that identifies the job. For this example, we enter SCAP. A list shows all SCAP Compliance Jobs with names or other information that includes the text string. Select the job you want to use for this operation. Note You cannot modify any of the settings for the SCAP Compliance Job you have selected. For example, you cannot change the targets or the schedule. However, if you want to review those settings, you can step through each page of the wizard.
4	Clck Execute Now. The SCAP operation appears on the home page and begins to run.
5	When the operation completes successfully, click the Actions menu, at right, and then select View Results. The results of the operation are divided into three tabs. By default you see results from the perspective of the servers that were analyzed. To see results from the perspective of each rule, click the Rule Results tab. The Run Log tab shows log messages generated during the operation. The graphic at top depicts the percentage of servers or rules that passed, failed, or received another classification during the compliance operation. SCAP Compliance operation results let you export many reports. Some reports are only intended to be read by machine, but others are exported in an XML format along with an XSL file so you can view the report in a browser.
6	One type of report that can be exported and viewed is OVAL results. Open Vulnerability and Assessment Language (OVAL) is an open standard used to normalize the transfer of security information. Identify a target server for which you want to analyze results. On that row, select the Actions icon and then select Analyze OVAL Results. A dialog box opens. Enter an NSH-style path to a file on that that will be created during the export. The file can be created on any server that BSA can access. You must assign a file ending of .xml. Note The portal administrator can define a default export path for your site. If one is defined, you only have to enter a file name. Click Export. The report is exported to the designated location, along with an XSL file that can make the file more easily readable by humans. Access the file in the location that you specified. Using a browser, open the file.
7	Perform a similar procedure to export and view SCAP compliance results for all the servers that the operation analyzed. Select the Actions icon at the top of the Target Results tab. Then select SCAP Compliance Results. This is another report that is human readable. A dialog box opens. Enter an NSH-style path to a file on that that will be created during the export. The file can be created on any server that BSA can access. You must assign a file ending of .xml. For Result Type, specify whether you want to export all results, only results for rules that failed rules, or only results for rules that passed. Select Split Files if you want a separate file to be generated for each server analyzed. Click Export. The report is exported to the designated location, along with an XSLT file that can make the file more easily readable by humans. Access the file in the location that you specified. Using a browser, open the file.

Wrapping it up

In this topic, you used BladeLogic Portal to run an SCAP Compliance operation to check the SCAP status of some target servers. After the operation completed successfully, you then exported some reports and examined them in a browser.

Where to go from here

To learn more about provisioning, see using SCAP results, see SCAP-Compliance-results-Viewing-and-using.