1 2 Previous Next 14 Replies Latest reply on Mar 27, 2015 7:28 PM by Raja Mohan

    Managing Exceptions Outside of BSA

    Edwin Lindeman

      Hey guys

       

      Wondering if anyone out there has worked with Managing Compliance Exceptions outside of BSA.

       

      Example instead of adding exceptions via the GUI or BLCLI the exception can be handled through an external source like xml, csv file.

       

      Trying to get some other ideas from the communities.

       

      Hope that question made sense.

        • 1. Re: Managing Exceptions Outside of BSA
          Rajeev Gupta

          You want to compare the rules from some XML or CSV file?

          • 2. Re: Managing Exceptions Outside of BSA
            Joe Piotrowski

            What is the use case for this? Do you have too many servers and managing the exceptions within BSA is too cumbersome? Or some other reason?

            • 3. Re: Managing Exceptions Outside of BSA

              There is a reason why you want BSA to be aware of your compliance exceptions: when calculating the compliance ratio, exception do not count as non-compliant and therefore don't make you miss your SLAs.

               

              That said if the question is whether BSA can determine from an external source that there is a compliance exception on a specific rule for a specific server, I don't' think you can do that easily. The less intrusive way to do that would be to place a file on each server and rewrite all of the compliance rules to pass if there is an exception described in the file.

               

              Whilst doable, I think it's particularly cumbersome to setup and maintain for a large number of rules and a large number of servers.

               

              Make sense?

               

              Olivier.

               

              PS: and if already you have that file describing the exceptions, all you need to set the exceptions is a few lines of BLCLI.

              • 4. Re: Managing Exceptions Outside of BSA
                Joe Piotrowski

                I've had customers use custom server properties that gets populated with a script and a feed file with the list of servers for this purpose. And set up the rules as Olivier mentioned. But I didn't want to suggest anything until I understood the use case here.

                • 5. Re: Managing Exceptions Outside of BSA
                  Edwin Lindeman

                  Rajeev, either or another format. Could be name=value possibly.

                   

                  Joe, working with a customer and they could run into a possibility where one day they have certain rules within the same template need to be in exception however the next day it might be another set of rules with same template on different servers.  Right now the process via the GUI can be cumbersome if managing thousands of servers and you might only want to have exceptions on certain rules/ certain rules. Looking for an easier way to dynamically have an approach to this.

                   

                  Olivier, It does make sense but doing my due dilegence to reach out to you guys to see if someone else has ran into this particular scenario or situation.

                   

                  Thanks guys for the feedback!!

                  • 6. Re: Managing Exceptions Outside of BSA
                    Joe Piotrowski

                    Edwin, can you give me some rough stats? How many rules in the Component Template? How many servers? How many exceptions? How often do they change? How often are these jobs going to run?

                    • 7. Re: Managing Exceptions Outside of BSA
                      Edwin Lindeman

                      Hi Joe, Unfortunately don't have actual numbers of stats but rules could be 20 to 30 from a component template. Probably couple of thousands of servers.  Could be a random amount of exceptions, depends on the day and they might change daily, twice a week or even once a week. Nothing set in stone. These jobs would run ad-hoc when needed.

                       

                      I apologize for the lack of information but just getting started with these conversations and no one can give me actual numbers besides what I provided above.

                       

                      Thank you

                      • 8. Re: Managing Exceptions Outside of BSA
                        Bill Robinson

                        I think you can set and get the exceptions via the blcli.  so you can probably script something up that  can read a csv and sync.

                        • 9. Re: Managing Exceptions Outside of BSA
                          Edwin Lindeman

                          I like the idea of using blcli to set exceptions. If someone already has something or a framework let me know. If not I'll look into what I can do from the blcli. Going to keep this thread a live and let you know the options we come up with.

                           

                          Thank you

                          • 11. Re: Managing Exceptions Outside of BSA

                            ... your Component doesn't seem to have an Exception named "TEST"

                             

                             

                            I would try something like:

                             

                            iterate for each exception:

                             

                            ComponentException createEmptyComponentException $componentKey$ $Name$ $Description$ $Role$ $User$ $Comment$
                            ComponentException addRuleToException $componentKey$ $Name$ $templateGroupName$ $templateName$ $ruleName$
                            

                            or

                             

                            ComponentException createComponentExceptionWithOneRule $componentKey$ $Name$ $Description$ $Role$ $User$ $Comment$ $templateGroupName$ $templateName$ $ruleName$
                            

                             

                            which essentially looks like a concatenation of the two latter.

                            • 12. Re: Managing Exceptions Outside of BSA
                              Edwin Lindeman

                              Thanks Olivier

                               

                              In my script after I created the exception name I tried to add the rules without grabbing the key again. For some reason if I get the DB Key for the component I'm able to add the rules right after I create the empty exception

                               

                              #####################

                              blcli_execute Component getAllComponentKeysByTemplateKeyAndServerId $myDBKey $serverId

                              blcli_storeenv ComponentKey

                              #####################

                              blcli_execute ComponentException createEmptyComponentException $ComponentKey "${emptyException}"

                              #####################

                              blcli_execute Component getAllComponentKeysByTemplateKeyAndServerId $myDBKey $serverId

                              blcli_storeenv ComponentKey

                              #####################

                              blcli_execute ComponentException addRuleToException $ComponentKey "${emptyException}"

                              #####################

                               

                              Best Regards

                              • 13. Re: Managing Exceptions Outside of BSA

                                Edwin,

                                 

                                I think this is because the Component key gets updated as you add Exceptions, which means you need the updated version of the key each time you add a new exception.

                                 

                                Olivier.

                                • 14. Re: Managing Exceptions Outside of BSA

                                  You can maintain Technical exceptions in relational Database which can have information about Technical Security Compliance Rule Number, Name of Server, Date - Exception Valid till, INC details etc.  There is one more dimension you can consider like part items which are non compliant like OS users, Files/Dir etc on a given server.  

                                   

                                  Also you can develop the AO workflow or NSH Script job to apply these Exceptions in BSA for reporting purpose.     

                                  1 2 Previous Next