4 Replies Latest reply on Aug 5, 2014 7:11 AM by Bill Robinson

    Compliancy Runs

    Robert Stinnett

      So we are trying to use the compliancy feature of Bladelogic, and I have to say the documentation is lacking.  A lot of documentation on the theory behind it, but very little on how to actually use/interpret/develop the rules.


      Anyway, we have run an OEL6 CIS compliancy check against our servers.  However, I cannot tell if the rule actually fired or if there is an error.  What exactly is the red "x" on the left hand side trying to tell me?  Just looking at the rule it seems as if the string matches, but the red "x" is throwing me.


      All our servers are coming back 100% compliant, which I find hard to believe (and I know is not true).


      Furthermore, in the servers view (and yes we have run Discover jobs) I am only seeing two rules from CIS under Components; and when I try to click on them I get an error.


      Any help appreciated....



        • 1. Re: Compliancy Runs
          Monoj Padhy

          Here the rule is complaint however, IF block condition is failed to satisfy and that's why you are getting red X, this leads to then statement gray out.


          I wonder why this happening, need to check on the same. seems like left and right value identical but still it shows non-compliant.


          At the same time i think in right value the string available is "ALL" which is compared with Left value ALL.

          In short compliance rule is looking for ALL as value in the target in question however found "ALL"


          Which version you are running with ?

          • 2. Re: Compliancy Runs
            Robert Stinnett

            We are on 8.5....


            Even in my development environment it does this.  To the naked eye it looks right, so that is why we can't figure out what it is failing on.


            • 3. Re: Compliancy Runs
              Joe Piotrowski

              Quick Compliance 101 steps. I'm doing this from my head so I might not be completely accurate.

              - Create a Component Template

              - Add Parts

              - Create Rules against those parts

              - Run a Discovery Job (creates Components)

              - Run a Compliance Job


              The results will come back as Compliant, Compliant with Exception, Non-Compliant and error. If not compliant, the results will come back in bold red.


              If you select a non compliant result, you should see a Left and Right value. Selecting it (like your screenshot above) gives you those values. Typically, they are straight forward and clear.


              However, it depends on the type of check. Loops for example can display some interesting results.


              Parts can be Server Objects, or they can be scripts (called Extended Objects) that can return values that we can run rules against. Extended Objects can be Global (affect all servers) or Local (only exist within the Component Template and the servers Components are created against).


              I am not familiar with the OOTB OEL6 CIS content. But on the surface it looks as though you haven't expanded the 1.1.19 rule to dig further into the results (unless the example you posted is the same for all servers). But on the surface your example doesn't look correct. But I'm unfamiliar with what ??CONFIGURATION_LEVELS?? is, it appears to be a server property. And there is a local Extended Object called "" which appears to be failing against that server. You would have to dig into the script to determine what it doesn't like.

              • 4. Re: Compliancy Runs
                Bill Robinson

                can you look in the local configuration objects of the template and see what OS that EO exists for ?