Walkthrough: Creating a compliance template

This topic walks you through the process of creating a simple compliance template using TrueSight Server Automation.

This topic includes the following sections:

The video at right demonstrates the process of setting up a compliance template.

icon-play2x.png  https://youtu.be/lccjjaXsxzw

Introduction

This topic is intended for system administrators and compliance officers who are responsible for ensuring that server configurations adhere to industry and organizational standards.

The goal of this topic is to demonstrate how to create and edit a simple component template that includes two rules. The rules test for compliance with password standards.

What does this walkthrough show?

This walkthrough shows how to create a simple component template. The template consists of two security settings about password handling and rules related to those settings. You can use this template as the basis of a Compliance Job that tests whether components on servers satisfy the two rules. For a description of how execute a Compliance Job, see Walkthrough-Compliance-audit-based-on-a-policy.

Remediation is the process of correcting deficiencies discovered by a Compliance Job. This walkthrough does not show how to incorporate remediation content into a component template. For a description of that process, see Walkthrough-Creating-remediation-objects-for-a-compliance-template.

Many component templates are much more complex and incorporate many compliance rules. TrueSight Server Automation provides prepackaged component templates that you can use to test for compliance with various industry standards. See Walkthrough-Loading-compliance-content for a description of how to load those prepackaged templates.

What do I need to do before I get started?

For this walkthrough, we have logged on as BLAdmin, the default superuser for TrueSight Server Automation. In production environments, BMC recommends that you grant access based on roles with a narrower set of permissions.

How to create a template used for compliance testing

 

Step

Example screen

1

Using the Component Templates folder in TrueSight Server Automation, navigate to a location where you want to create a component template. Right-click and select New > Component Template. A wizard opens that guides you through the process of creating a component template.

ComplianceNewTemplate.gif

2

On the General panel of the wizard, enter a name for the template. Then select the type of operations you want to allow for this component template. In this example, we select Discover, Browse, Compliance, and Allow Remediation. Finally, click Finish.

Later, you add more complex information to the component template during an editing process.

ComplianceTemplateGeneral.gif

3

Select the component template you just created. Right-click and select Open. The component template opens to the General tab. Tabs representing other steps in the template definition process appear at the bottom of the pane.

ComplianceEditTemplateGeneral.png

4

Assign parts to the component template.

  1. Click the Parts tab.
  2. Click the Add Part icon g_V95_AddIcon16.gif. The Select Parts dialog opens.
  3. Navigate to the type of server for which you want to test compliance. In this case, we select a server running Windows 2008.
  4. Expand the server to see all the server object types available on that machine.
    When selecting parts for a component template, you can use any of these server object types or the individual objects they contain.  
  5. Expand Security Settings, expand Account Policies, and then expand Password Policy.
  6. Select Enforce password history and Maximum password age and move them to the New Parts list at right.
  7. Click OK.
    The parts you have selected appear in the list on the Parts tab. 

Component template parts often include a wide variety of server objects. To keep this walkthrough simple, we selected only two parts.

ComplianceSelectParts.gif

5

Set up a rule group and begin to define the first rule.

  1. Click the Compliance tab.
  2. Create a compliance rule group by clicking the Add New Rule Group icon g_V95_AddComplianceRuleGroupIcon.gif. Assign a name to the rule group. In this case we call the group Password Compliance.
  3. Select the newly created compliance rule group and click the Add New Compliance Rule icon g_V95_AddComplianceRuleIcon.gif. The New Rule tab appears. It has three sub-tabs, displayed at the bottom of the pane.
  4. Assign a name to the rule. In this case we call it Maximum password age. Optionally, provide a description.

 

ComplianceEditTemplateGeneral_withGitTab.png

6

Click the Rule Definition sub-tab and define the contents of the first rule.

  1. To define the first condition of the rule, click the New Condition icon g_V95_AddIcon16.gifand take the following steps:
    1. In the first drop-down box, click the drop-down arrow, expand Configuration Objects, expand Security Setting:Security Settings\Account Policies\Password Policy\Maximum password age and select Effective setting as String Value (Windows).
    2. In the next drop-down select does not equal. Then leave the next field empty.
    3. In the last drop-down on the row select AND.
  2. Click New Condition g_V95_AddIcon16.gifto start another condition:
    1. In the first drop-down, expand Configuration Objects, expand Security Setting:Security Settings\Account Policies\Password Policy\Maximum password age and select Local setting as String Value (Windows).
    2. In the next drop-down select does not equal and leave the next field empty.
    3. In the last drop-down on the row select AND.
  3. Click New Condition g_V95_AddIcon16.gifto start another condition:
    1. In the first drop-down, expand Configuration Objects, expand Security Setting:Security Settings\Account Policies\Password Policy\Maximum password age and select Effective setting as Integer Value (Windows).
    2. In the next drop-down select between.
    3. In the next two fields enter 1 and 60. This means you must change your password at least every 60 days.
    4. In the last drop-down on the row select AND.
  4. Click New Condition g_V95_AddIcon16.gifto start the last condition:
    1. In the first drop-down, expand Configuration Objects, expand Security Setting:Security Settings\Account Policies\Password Policy\Maximum password age, and select Local setting as Integer Value (Windows).
    2. In the next drop-down select between.
    3. In the next two fields enter 1 and 60.
    4. In the last drop-down on the row select AND.
  5. Click Apply Condition Value, save your edits (Ctrl+S), and close the tab defining this rule.

Taken together, these rules say that there must be a value for password age and that the password must be between no older than 60 days.

Note: These rules are set up to test both the local setting and the effective setting. The local setting is the setting established on a server by means of its local security policy or registry setting. The effective setting is the setting that is actually in effect. They can differ if a server is part of a Windows domain and the domain level group policy object (GPO) overrides the local setting. Local and effective settings can also differ if the local setting has been changed but is not yet in effect. For example, the server may be in need of a reboot to apply a changed setting. BMC recommends setting up compliance rules to test both the local and effective setting.

Defining first condition

ComplianceDefineFirstCondition.gif

Logical descriptions of all conditions

ComplianceFirstRule.gif

 

7

Create a new rule.

  1. Select the existing compliance rule group (in this example it is called Password Compliance) and click Add New Compliance Rule g_V95_AddComplianceRuleIcon.gif.
  2. Assign a name to the rule. We call this rule Password history. Optionally, you can provide a description.

ComplianceSecondRule.gif

8

Click the Rule Definition sub-tab and define the contents of the next rule.

  1. Click New Condition g_V95_AddIcon16.gifand take the following steps:
    1. In the first drop-down box, click the drop-down arrow, expand Configuration Objects, expand Security Setting:Security Settings\Account Policies\Password Policy\Enforce password history, and select Effective setting as String Value (Windows).
    2. In the next drop-down select does not equal and then leave the next field empty.
    3. In the last drop-down on the row select AND.
  2. Click New Condition g_V95_AddIcon16.gifto start another condition:
    1. In the first drop-down, expand Configuration Objects, expand Security Setting:Security Settings\Account Policies\Password Policy\Enforce password history, and select Local setting as String Value (Windows).
    2. In the next drop-down select does not equal and then leave the next field empty.
    3. In the last drop-down on the row select AND.
  3. Click New Condition g_V95_AddIcon16.gifto start another condition:
    1. In the first drop-down, expand Configuration Objects, expand Security Setting:Security Settings\Account Policies\Password Policy\Enforce password history, and select Effective setting as Integer Value (Windows).
    2. In the next drop-down select greater than or equal to.
    3. In the next field enter 24. This means you cannot reuse any of your last 24 passwords.
    4. In the last drop-down on the row select AND.
  4. Click New Condition g_V95_AddIcon16.gifto start the last condition:
    1. In the first drop-down, expand Configuration Objects, expand Security Setting:Security Settings\Account Policies\Password Policy\Enforce password history, and select Local setting as Integer Value (Windows).
    2. In the next drop-down select greater than or equal to.
    3. In the next field enter 24.
    4. In the last drop-down on the row select AND.
  5. Click Apply Condition Value, save your edits (Ctrl+S), and close the tab defining this rule.
  6. Close the tab for the component template. You are prompted to save any changes. The component template is complete.

Taken together, these rules say that there must be a value for password history and that the user cannot reuse any of his last 24 passwords.

ComplianceSecondRuleText.gif

 9 


To support version management of the component template, commit the template to the local Git repository. This first commit represents the initial version of the template from the time of its creation.

  1. Click the Git Repository History tab.
  2. Above the list of revisions (which is currently empty), click the Commit button commitButton.png.
  3. In the Git Commit dialog box:
    • Adjust the email address.
    • Enter a summary message to accompany the commit.
    • Choose whether to include dependencies.
  4.  In the Git Commit dialog box, click Commit, and then click OK in the informational message.

Commit details for the initial version of the component template are added on the Git Repository History tab.


commitCTpasswordSecurity.png

Wrapping it up

Congratulations. You have created a component template. This template can be used to define a Compliance Job, which measures server compliance to organizational standards.

Where to go from here

See Walkthrough-Creating-remediation-objects-for-a-compliance-template for a description of how to attach a remediation object to a component template. Also, you can see Walkthrough-Compliance-audit-based-on-a-policy for a description of how to use a component template to run a Compliance Job.

The TrueSight Server Automation documentation provides more detailed instructions on setting up compliance rules in a compliance template.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*