BSA 8.2 Compliance Quick Audit Howto Video

Version 1

    It's useful to be able to setup a standalone instance of BMC BladeLogic Server Automation, for testing or development purposes.


    This video is part of a series showing how to setup and use BMC Server Automation.


    This video shows how to run a basic Compliance Audit.


    Here's the original script I used to put this together.


    Our goal today is to get started with compliance in BladeLogic.  There's two different kinds of compliance, snapshot-based, and policy-based. 

    Snapshot-based compliance uses the configuration of a "golden" server that has exactly the configurations we're looking for, while policy-based compliance works from a set of rules that can define a range of acceptable configurations. 

    Today we'll be working with policy-based compliance.

    Many organizations today need to ensure they comply with one or more sets of regulations or internal security policies.

    These can include adherence to standards required by the Sarbanes-Oxeley act, the Payment Card Industry Standard, the Health Insurance Portability and Accountability Act, the Defense Information Systems Agency, and the Center for Internet Security.

    Bladelogic ships with a number of out of the box policies for a range of regulatory and security requirements including SOX, PCI, HIPAA, DISA and CIS.  Most organizations use these as a starting point to match their own customized versions and policies.  These policies are fairly comprehensive, and cover many of the compliance conditions you might want to check for, ranging from minimum password length, to whether certain baseline software is installed, to what kind of services may be enabled.

    Here's the other important thing: these out of the box policies include sample remediation instructions where appropriate: scripts or packages to fix common security mis-configurations. 

    Between ready-to-go policies, and remediation instructions, you can get started very quickly, and be showing results in minutes.

    So, we've already loaded our compliance content during the previous video.  Now let's go measure compliance on one of our servers.

    Let's browse to the component templates workspace, go to the DISA compliance content folder, expand this, and browse down into the Windows Server 2008 policy. 

    Let's open this policy up and look at one rule.  Under Password Policy Configuration, here's the password length rule: it looks at a given server configuration, in this case, a local security policy, and evaluates it both for local, and effective configuration, which is what the configuration actually does after group policy is applied.  It's currently set to 14, but changing the policy to fit our standards is as easy as typing in a new value.  Isn't that simple?


    So, today we're going to audit just one server, so let's create a component for that server.  let's right-click on the template, select new component.  We pick our host, click ok, and now we can audit the server using this policy. 

    To audit the server, we need a compliance job.  let's right click on the template, and select compliance.  Let's call this job "test DISA Windows Compliance Audit".  Let's select our policy template.  We can use Component or Server smartgroups: for right now, let's use the Windows 2008 Server Smartgroup.  Let's skip remediation: we'll come back to it in a future video.  Here's scheduling: note that we could schedule this to run monthly, weekly, or more often. For today, let's just execute it now.

    See the job running in the Tasks In Progress bar.  It's going out to our target server, collecting configurations, then evaluating those configurations against the rules in the policy.

    Ok, let's look at results: browse to the job, right click, show results.  browse down to the most recent run, and expand the tree.  The green check mark means it ran without errors.  If a server is down, you'll get a different icon, telling you it wasn't able to execute the job completely successfully.  On larger populations of servers, sometimes a server is down or unreachable, so you could get a warning or error here.

    Let's browse down into into our specific server, and look at how we compliant our server is to the policy.  It's ok to not match the policy perfectly at this point: most organizations customize the out of the box policies a bit to better match their environment, or will need to document specific exceptions. 

    Looks here like we're about X% compliant, let's look at one rule in particular.  Here's what the policy says, here's how compliant we are.

    Ok, great, so now let's dump out the result for this server so we can share it: right click on the server level, export to HTML or CSV. 

    Open up the result, voila, compliance results in minutes.

    Next episode, we'll learn how to set this up to run against more machines, and on a scheduled basis.