Defining a basic condition

Basic conditions are the building blocks of discovery signatures and compliance rules, and are used to perform analysis of configuration objects. Using basic conditions, you can check for the presence, absence, or number of occurrences (cardinality) of a configuration object. In addition, you can evaluate configuration object properties or component properties by comparing them with constant values or with other properties.

Basic conditions can be combined or nested under conditional construct or loops to create complex rules for evaluation.

Structure of a basic condition

Basic conditions that analyze properties always consist of a left-hand side (LHS) operand, a comparison operator, and a right-hand side (RHS) operand. For example the condition ??TARGET.OS?? equals "Windows" consists of the following components:

LHS operand	Comparison operator	RHS operand
??TARGET.OS??	equals	"Windows"

Note

The number of RHS operands might change depending on the operator. See the following scenarios:

For the between operator, two RHS operands are required.
Certain types of cardinality conditions have only one operand and an operator, and do not have a right-hand side operand. For example: "File:/C/a.log" exists.

For a basic condition to be valid, the operands and operator must refer to the same data type, as discussed in Operand-data-types-and-operator-compatibility.

Defining a basic condition

Basic conditions are primarily used to perform the following operations:

Checking the existence of a configuration object
Finding the number of occurrences of a configuration object
Comparing configuration object properties component properties or user-defined values

Perform the following high-level steps to define a basic condition:

Step 1: Define the LHS operand
Step 2: Define the comparison operator
Step 3: Define the RHS operand

Step 1: Define the LHS operand

Within the basic condition line that you added (using the New Condition icon), click the Select (down arrow) icon of the LHS (left-hand side) field.

Step

Screenshot

Add the basic condition line to the rule editor by clicking on the down-facing arrow icon ( 2017-09-11 19_09_51-Remote Access Control __ BladeLogic Server Automation 8.9, Threat Director 2.2 w.png ) and selecting Basic Condition.

2017-09-11 18_50_47-Remote Access Control __ BladeLogic Server Automation 8.9, Threat Director 2.2 w.png

Populate the LHS operand field with text strings representing a component property, configuration object, or configuration object property, using the following syntax:

Object or property	Syntax	Example
Component property	*??propertyName??*	??PATH??
Nested component property	*??propertySubClass??.??propertyName??*	??GROUP.GROUP ID??
Configuration object	*"objectType:objectPath"*	"File:/C/a.log"
Property of a configuration object	"objectType:objectPath".propertyName	"File:/C/a.log".size

You can populate the LHS operand field, in the following ways:

Click the down-facing arrow icon () and select a component property, configuration object, or configuration object, as described in the next step.
Type in a component property, configuration object, or configuration object property string value.

2017-09-11 20_13_47-Remote Access Control __ BladeLogic Server Automation 8.9, Threat Director 2.2 w.png

To automatically populate the operand field with required text strings, perform the following steps:

Click the down-facing arrow icon ().
Depending on the type object or property string you want to populate, expand either of the following top-level branches:
Note: If the field already contains a textual string, the new component property is inserted at the current cursor point or replaces selected text, but does not replace the full textual string.

Component properties

Expand this branch to select a component property from the hierarchical list of component properties displayed in the following screenshot. You can expand some component properties to view and select the nested component properties under that property.

2017-09-11 19_07_42-Remote Access Control __ BladeLogic Server Automation 8.9, Threat Director 2.2 w.png

Configuration objects

Use this branch to select a local configuration object (such as a file or directory), either from a list of local template parts or from a tree-structure list of server objects.

1. Expand the configuration objects top-level branch, and select a configuration object, by clicking New Configuration Object under this branch.
2. In the Configuration Object Selection box, select a configuration object (such as a file or directory), either from a list of local template parts or from a tree-structure list of server objects, and then click OK to return to the initial selection box.
3. Depending on whether you want to select the configuration object or a property of the selected configuration object, perform either of the following:

- - Configuration object: To check for the presence or number (cardinality) of the configuration object, click the name of the configuration object.
  - Configuration object property: To analyze a property of the configuration object, select one of the properties listed under the branch of that particular configuration object.

Tip: You can also select a configuration object or configuration object property that was recently used in the rule from under the Configuration Object branch. Either click the branch of the specific configuration object or expand that branch and click one of the properties listed below it.

Configuration Object Types

Expand this branch to view configuration objects arranged in a hierarchy based on the configuration type. First expand this branch and select an object type from the full list of object types.

2017-09-11 20_26_06-Remote Access Control __ BladeLogic Server Automation 8.9, Threat Director 2.2 w.png

2017-09-11 19_13_10-Remote Access Control __ BladeLogic Server Automation 8.9, Threat Director 2.2 w.png

You must manually enter the full path to the configuration object directly into the operand field, for example "File:/C/a.log"

Note the following special functionalities while entering the path to the configuration objects:

To pass component properties as parameters:
You can pass component properties as parameters to the configuration object path, for example: "File:??APP_DIR??/*.tmp"
To use wildcard characters to represent one or more object paths:
You can use the wildcard characters in the configuration object path in the following ways:

Wildcard characters	Explanation
*	Matches multiple characters, except the path separator character /. This means that a path using this character will not traverse through sub directories.
**	Matches multiple character including the path separator character /. This means that a path using these characters will traverse sub directories.
?	Matches any single character.
[ Character sequence ]	Matches any single character if it is included within the brackets. For example, [abc] will match with either of the single characters: a, b, or c.

Step 2: Define the comparison operator

	Step	Screenshot
1	In the next drop-down box to the right, select a comparison operator. Note that only relevant operators are available, for example: For a configuration object, only cardinality operators are available — exists, does not exist, and the various count operators. For a property, only those comparison operators that are relevant to the data type of the property specified in the LHS field are available for selection. For a full list of operators and the data types that support them, see Operand-data-types-and-operator-compatibility. To define a value for a property, so that you can use the property as a variable in subsequent conditions in the rule, choose the assign operator or the persist operator. For a Command configuration object, the remediate operator is also available, enabling you to apply a shell command as a remediation action at the end of compliance analysis.
2	A component property can also be used to define a variable that you can use in subsequent conditions in the rule. To use a component property in this manner, associate it with one of the following operators: The assign operator can be used to assign a transient value that is not saved to the database, but rather temporarily stored only for the duration of rule execution. The value defined by the assign operator is stored within the current rule and is not carried over to any subsequent rule. Use this operator if you want to avoid unnecessary storage of data in the database and do not plan to perform remediation based on the results of the compliance rule analysis. Property Class (PSC) type is not allowed. You can use data types such as String, Int (integer), or Boolean. It is recommended that you use only local properties of the component template for the rules under evaluation. For example, the statement ??VAR_List_String?? := "Command:ls -l".StringList assigns the string list output of a command to the ??VAR_List_String?? component property (:= represents the assign operator). The persist operator can be used to assign a value that is persisted in the database. Use this operator if you plan to perform remediation based on the results of the compliance rule analysis. Create a PSC, and the Compliance Job creates a Property Set Instance (PSI) for you automatically. When you run the Compliance Job for the first time, the LHS value of the persist operator condition displays as NULL even if it is set in the property dictionary. For example, the statement ??VAR_test_prop.test_value?? persist Foobar assigns the Foobar to the VAR_test_prop component property with a test_value property class instance. Note that you need to use the property class instance with the component property while using the persist operator.

Step 3: Define the RHS operand

Step

Screenshot

Populate the RHS operand field with text strings representing a component property, configuration object, or configuration object property, constant or parameterized values or range of values using the following syntax:

Object or property	Syntax	Example
Component property	*??propertyName??*	??PATH??
Nested component property	*??propertySubClass??.??propertyName??*	??GROUP.GROUP ID??
Configuration object	*"objectType:objectPath"*	"File:/C/a.log"
Property of a configuration object	"objectType:objectPath".propertyName	"File:/C/a.log".size

Notes

RHS operand is not required for the exists and does not exist cardinality operators.
RHS operand is not required for the remediate operator, which can be used together with a Command configuration object that you specify in the LHS operand.
For certain Windows Security Setting policies, you must use the relevant pre-defined Windows value in the RHS field. For example, for Security Settings\Local Policies\Audit Policy\Audit account logon events, compare the configuration object in the LHS field to an RHS value range of 0-3 (0=Audit No Auditing, 1=Audit Success, 2=Audit Failure, 3=Audit Success and Failure), rather than textual values.

You can populate the RHS operand field, in the following ways:

Click the down-facing arrow icon () and select a component property, configuration object, or configuration object, as described in the next step.
Type in a component property, configuration object, or configuration object property string value.

2017-09-12 16_00_46-Remote Access Control __ BladeLogic Server Automation 8.9, Threat Director 2.2 w.png

To automatically populate the operand field with required text strings, perform the following steps:

Click the down-facing arrow icon ().
Depending on the type object or property string you want to populate, expand either of the following top-level branches:
Note: If the field already contains a textual string, the new component property is inserted at the current cursor point or replaces selected text, but does not replace the full textual string.