Running a Compliance Job based on Compliance Content templates
The component templates provided in Compliance Content libraries were designed specifically as the basis for Compliance Jobs that enable you to analyze your compliance with industry standards.
This topic explains how to run a Compliance Job based on a Compliance Content component template. It includes the following sections:
Considerations and limitations
- Compliance Jobs based on Compliance Content templates scan only the local file system on the target server, excluding all remote mounted file systems.
- Compliance Jobs based on Compliance Content templates use various extended objects that are stored in the file server. Therefore, if at any point you switch to a new file server for the storage of TrueSight Server Automation files, ensure that you copy all existing files from the old file server to the new file server. For more information about file server configuration, see Configuring-the-file-server
- If you are using SOCKS proxies, Compliance Jobs might fail due to inability to access the required extended objects in the file server behind the SOCKS proxy (and an SSL_connect error is issued). To avoid this issue, configure the Application Servers to route traffic to Network Shell proxy servers.
For information about Network Shell proxy servers, see Setting-up-a-Network-Shell-proxy-server. For information about SOCKS proxies, see Setting-up-communications-with-remote-servers.
Before you begin
- Ensure that target components have already been discovered against the appropriate template, as discussed in Running-a-Component-Discovery-Job.Alternatively, you can choose to authorize your Compliance Job to perform automatic component discovery, so that components are generated later on, just before they are analyzed for compliance.
- Ensure that the location defined by the STAGING_DIR target property exists on target servers. By default the staging directory is \temp\stage (on Windows) or /var/tmp/stage (on UNIX).
- For the CIS and PCIv2 templates for Windows, ensure that you have set the following properties to the appropriate values:
- DOMAIN - whether the target server is a Domain Controller (a value of DC) or a Member Server (a blank value, the default).
- IS_SSLF property to true if the server profile is Specialized Security - Limited Functionality (SSLF), and false otherwise.
- PCI Properties/CIS Properties properties to one of the following values, depending upon the server profile:
- ENTERPRISE_MEMBER_SERVER, for a Member Server with Enterprise Client (EC) security
- ENTERPRISE_DOMAIN_CONTROLLER, for a Domain Controller with Enterprise Client (EC) security
- SSLF_MEMBER_SERVER, for a Member Server with Specialized Security — Limited Functionality (SSLF)
- SSLF_DOMAIN_CONTROLLER, for a Domain Controller with SSLF
- If you plan to remediate failed components for a single rule group rather than for all compliance rules in a SOX component template, you must uncomment the duplicate rules within the rule group before you run the Compliance Job. For more information, see Uncommenting duplicate rules for rule-group remediation.
To create and run a compliance job
Choose between the following types of compliance analysis:
- Create and run a regular Compliance Job based on a Compliance Content component template or component. For instructions, see Creating-Compliance-Jobs.
- For large-scale compliance analysis on UNIX or Linux servers, customize and run an out-of-the-box Batch Job that includes a Compliance Job and a Network Shell Script Job. For more information, see also Choosing-between-a-regular-Compliance-Job-and-a-Batch-Job.
- For large-scale compliance analysis on Windows servers, run a special out-of-the-box Compliance Job, as described in Customizing-and-running-Scale-Jobs-for-large-numbers-of-servers.
Where to go from here
Viewing-the-results-of-Compliance-Jobs-for-Compliance-Content
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*