Running a Compliance Job

The component templates provided in Compliance Content libraries were designed specifically as the basis for Compliance Jobs that enable you to analyze your compliance with industry standards.

Note

  • Compliance Jobs based on Compliance Content templates scan only the local file system on the target server, excluding all remote mounted file systems.
  • Compliance Jobs based on Compliance Content templates use various extended objects that are stored in the file server. Therefore, if at any point you switch to a new file server for the storage of BMC Server Automation files, ensure that you copy all existing files from the old file server to the new file server. For more information about file server configuration, see Configuring-the-file-server
  • If you are using SOCKS proxies, Compliance Jobs might fail due to inability to access the required extended objects in the file server behind the SOCKS proxy (and an SSL_connect error is issued). To avoid this issue, configure the Application Servers to route traffic to Network Shell proxy servers.
     For information about Network Shell proxy servers, see Setting-up-a-Network-Shell-proxy-server. For information about SOCKS proxies, see Setting-up-communications-with-remote-servers.

Before you begin

  • Ensure that target components have already been discovered against the appropriate template, as discussed in Running a Component Discovery Job.
  • Ensure that the location defined by the STAGING_DIR target property exists on target servers. By default the staging directory is \temp\stage (on Windows) or /var/tmp/stage (on UNIX).
  • For the CIS and PCIv2 templates for Windows, ensure that you have set the following properties to the appropriate values:
    • IS_DOMAIN_CONTROLLER target-level property to true for all the Domain Controller servers, and false for all the Member Servers. 
    • IS_SSLF property to true if the server profile is Specialized Security - Limited Functionality (SSLF), and false otherwise. 
    • PCI Properties/CIS Properties properties to one of the following values, depending upon the server profile:
      • ENTERPRISE_MEMBER_SERVER, for a Member Server with Enterprise Client (EC) security
      • ENTERPRISE_DOMAIN_CONTROLLER, for a Domain Controller with Enterprise Client (EC) security
      • SSLF_MEMBER_SERVER, for a Member Server with Specialized Security — Limited Functionality (SSLF)
      • SSLF_DOMAIN_CONTROLLER, for a Domain Controller with SSLF
  • If you plan to remediate failed components for a single rule group rather than for all compliance rules in a SOX component template, you must uncomment the duplicate rules within the rule group before you run the Compliance Job. For more information, see Uncommenting duplicate rules for rule-group remediation.

To create and run a compliance job

  1. Choose between a regular compliance job and a Batch Job. For more information about each method, and to help you choose between these two methods, see Choosing-between-a-regular-Compliance-Job-and-a-Batch-Job.
  2. Create and run one of the chosen jobs:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*