Skip to Content

Troubleshooting Compliance job results displaying false positives or negatives

A TrueSight Server Automation Compliance job runs to completion successfully against one or more target servers but the Compliance results appear to be incorrect.

  • Scenario#1: The Compliance job reports that a specific rule is non-compliant against a specific target server. However, the user believes that the results should be compliant. 
    The following image shows how this might appear in the TrueSight Server Automation Console Compliance Results Server View:

    1.png

    Expand the target to see the compliant and non-compliant rule count in each rule group.

    2.png

  • Scenario#2: The opposite scenario may also be reported where the Compliance Results show a rule as Compliant against a Target Server but the user believes the results should be non-compliant.
    The following image shows how this might appear in the TrueSight Server Automation Console Compliance Results Server View:

    14.png

Issue scope

  • The issue may occur on all Target Servers against which the Compliance Job is executed or may be limited to a subset of the Target Servers.
  • The issue may occur for multiple rules or a single rule.

Diagnosing and reporting an issue

Task

Action

Steps

Reference

1

Understand problem scope.

  • Is this Compliance Job using a custom (i.e. customer-created) Component Template or BMC-provided Component Template?
  • If the Component Template is BMC-provided content:
    • What is the name and version of the Component Template? (refer to screenshot on the right ) For example,
      CIS Windows 2019 (Version 1.1.0)
      CIS - Red Hat Enterprise Linux 8 (Version 1.0.0)
      PCI Data Security Standard v3 - Windows Server 2016 (Version 3.2.1)
      PCI Data Security Standard v3 - Red Hat Enterprise Linux 7 (Version 3.2.1)
    • Is the version of the Component Template supported by the version of the TrueSight Server Automation Application Server?
      See this topic to confirm:
      Compliance-Content-support-and-requirements
  • What is the Operating System vendor and version of the Target Servers? For example, MS Windows 2016, RHEL 7, and so on.
  • How many total Target Servers is the Compliance Job running against and are all the Target Servers impacted? If a subset of the Target Servers are impacted, how many?
  • Is the issue consistent across multiple Compliance Job runs or intermittent?
  • What is the version of the TrueSight Server Automation Application Server?
  • What are the version(s) of the affected RSCD Agents?
  • Identify affected Compliance rule(s). See the screenshot on the right for example.
  • Capture screenshot of full rule definition.

Template name and version details:

4.png

Rule number:

3.png


2

Test the Compliance Rule from the TrueSight Server Automation Console.

Testing the rule from the TrueSight Server Automation console allows the user to reproduce and troubleshoot the behavior outside the context of a Compliance Job.

See steps in the Reference section on the right.

  1. Open the Component Template.
  2. Open the rule which appears to be displaying incorrect results.
  3. Click Play to test the rule.

    10.png

  4. Add the Component or Target Server (you need to do this only once)

    11.png

  5. Click Run Test.

    12.png

  6. Review the results. If the results appear to be incorrect, pay close attention to the "Left Value" and the "Right Value.

    13.png

For more information, see Testing-a-compliance-rule.

3

Validate the condition of the rule (s) directly on the Target Server.

The conditions of the Compliance Rule can be validated directly on the Target Server to confirm they are as expected.

For example, if the Compliance Rule is checking the permissions a file, this can be validated directly on the Target Server and also via a Live Browse from the TrueSight Server Automation console.

  1. Login to the impacted Target Server.
  2. Go to the file location in question. For example, cd /etc
  3. Check the file permissions.
    In this example, it is 000.
  4. Check the same by Live Browsing the Target Server from the TrueSight Server Automation Console. This provides an additional validation using the RSCD Agent.

See reference section on the right for an example of checking file permissions directly from a Target Server and from the TrueSight Server Automation Console. Different Compliance Rules will check for other conditions which can similarly be checked. For example,

  • Does a file exist
  • Does a registry entry exist
  • checksum of a specific file
  • Value of a registry entry
  • ownership of a file
  • Presence of a specific entry in a configuration file

Checking file permission directly from the Target Server:

5.png

To check the File Permission by Live Browsing the Target Server:

  1. Right-click the target server and select Browse.

    7.png
  2. Go to File System > /etc/shadow and validate the permissions.

    8.png

    9.png


4

Generate Compliance Job Log Package

If the cause of the problem cannot be determined in steps 1-3 above, generate the Compliance Job Log Package for review by BMC Customer Support.

Right-click the Compliance Job Run displaying the false Positives/Negatives and select "Download Log Package" in order to capture the required logs. (refer to screenshot on the right)


  1. Right-click the Job Run and select “Download Log package”:
    Step1.jpg
  2. Select a location to save the downloaded Log Package:
    Step2.jpg
  1. Select the Target Servers involved in the False Negatives/Positives:
    Step3.jpg

    Step4.jpg
  2. Press OK to begin the Log Package Download process which can be monitored in the bottom right corner of the TrueSight Server Automation console.
    step5.jpg

Once process is complete it will show a popup window confirming the logs have been downloaded.

Reference Video:

5

Creating a BMC Support Case

If the cause of the problem cannot be determined from the above steps, provide the following information and log files when creating a case with BMC Customer Support:

  • Scope of the issue as identified in step 1
  • Results of the "Test Rule" performed in step 2
  • Results of the tests performed directly on the Target Server and via Live Browse in step 3
  • Job Log Package generated in step 4


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Server Automation 23.1