1 2 Previous Next 18 Replies Latest reply on Mar 12, 2015 4:26 AM by Alex Bron

    Use of extended object value in Compliance Job

      Here's my situation.  I need to get the value of Hardware Information:Machine Summary:/System.Domain (the netbios domain name of the target server) in a compliance job.  It would be nice to grab that value up front as it will be used in compliance rules and remediation packages, perhaps use it to set a local property value.  I'm not sure if this can be done...?  If it can, I think that would be preferred over referring to the extended object multiple times throughout the compliance.

       

      Setting that aside for a moment - as a trial for use in compliance rules I've added that object as a part to the Component Template, and it works, partially.  My rule for testing is as follows, and yes the statements in the OR are somewhat redundant, this is just until I get this issue ironed out:

       

      "Security Setting:Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system"."Local setting as String Value (Windows)" contains "??DOMAIN??\sqlsrv"  AND

      (  "Security Setting:Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system"."Local setting as String Value (Windows)" contains "??DOMAIN??\sqlagt"  OR

         "Security Setting:Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system"."Local setting as String Value (Windows)" contains "Hardware Information.Machine Summary:/System".Domain

      )

       

      The value of ??DOMAIN?? is manually set as a local property value for now.  That works fine but I want this to work regardless of the target's domain without the user having to set the property value.  So the rule:

      "Security Setting:Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system"."Local setting as String Value (Windows)" contains "??DOMAIN??\sqlagt" works as intended, nothing special.  Trying the same thing using the ext obj and appending "\sqlagt" does not work.  BSA adds some quotes if I edit the field to add the "\sqlagt" after selecting that ext obj and the value doesn't evaluate.

       

      If I select the ext obj, the "Right Hand Side" shows up as "Hardware Information.Machine Summary:/System".Domain and it gives the expected value as "DOMAIN-NAME".  If I add "\sqlagt" to the end the "Right Hand Side" changes to """Hardware Information.Machine Summary:/System"".Domain\sqlagt" and it gives no value.  When you run a rule test, it shows """Hardware Information.Machine Summary:/System"".Domain\sqlagt" instead of the expected "DOMAIN-NAME\sqlagt".

       

      Any ideas on either approach?

        • 2. Re: Use of extended object value in Compliance Job

          Thanks for the link Richard.  I am able to pass local prop values to packages, etc, but I'm unable to use that configuration object (extended object?) value when adding the "\sqlagt" to it so far.  I don't think that the rest of the post applies to my situation though unless I missed something there.

           

          I think I can accomplish what's needed if I can grab that value and concat the account name to it, either each time it's needed or use that string as a local prop value,

          • 3. Re: Use of extended object value in Compliance Job
            richard mcleod

            The right side of compliance is 100% literal (you cannot mix variables + chars) -- what does the ??DOMAIN?? variable =?

            • 4. Re: Use of extended object value in Compliance Job

              It always works with mixed variable values and chars, but not with mixed config obj value and chars, so in this case ..

              ??DOMAIN??\sqlagt = MYDOMAIN\sqlagt

              ..rule passes if that domain account is contained in the local policy effective setting.  DOMAIN is defined as a local property for the compliance job.

               

              From the console:

              "Security Setting:Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system"."Local setting as String Value (Windows)" ["NT AUTHORITY\SYSTEM,ADHCSCTST\sqlsrv,ADHCSCTST\sqlagt,sqlsvcacct"] contains "??DOMAIN??\sqlagt" ["ADHCSCTST\sqlagt"]

              • 5. Re: Use of extended object value in Compliance Job
                richard mcleod

                Ah my mistake - was interpreting the wrong part of your rule

                 

                Maybe you can mess around with the assign/persist options if your version of BSA permits.

                 

                Else I would recommend using property instances which contain pre-defined DOMAIN values, then just use those as the right hand side values

                1 of 1 people found this helpful
                • 6. Re: Use of extended object value in Compliance Job

                  Now I'm interested in this assign/persist but documentation seems sparse and I can't find any examples.


                  Sounds like you'd set something like...

                  ??DOMAIN?? persists machineinfo.summary.domain (whatever) inside a rule to set the variable?  Doesn't seem to like that much

                  • 7. Re: Use of extended object value in Compliance Job
                    richard mcleod

                    I've never successfully gotten it to work either due to the lack of documentation. I've been driving compliance with the use of property instances... in your case I think that should work, you'd only enter the data 1 time, and would work with the format you've described.

                     

                    imo you should open a case to bmc and tell them the persist thing is not working then share your documentation with the rest of us

                    • 8. Re: Use of extended object value in Compliance Job

                      Excellent I have figured out assign, but of course persist is the one that sounds like it would do what we want!

                       

                      It also looks like "Domain" from Hardware info isn't stored in the discovered component either, while the full (domain.net) is.  Also a deal killer for me..

                      • 9. Re: Use of extended object value in Compliance Job

                        I'm going to need to do more testing, but I believe that this just worked, give it a shot when you have time-

                         

                        ??DOMAIN?? := "Hardware Information.Machine Summary:/System".Domain  AND

                        ??DOMAIN?? persist "??DOMAIN??"

                        • 10. Re: Use of extended object value in Compliance Job

                          Just to add to this, I've got this working like I want (or good enough) using the following-

                           

                          Comp template has local property "DOMAIN"

                          Compliance rule:

                          ??DOMAIN?? assign (config obj->machine settings->etc->domain)

                          AND

                          (local policy->act as part of operating system) contains ??DOMAIN??\username

                           

                          Auto remediation package takes a parameter "AD_DOMAIN".  Source for this is ??DOMAIN??.  It's taking the value that is set within the rule and passing it to the remediation blpackage, works just fine.

                           

                          One thing to note, is if you use the "persist" operand, it does save the value given to the db for the component, however it saves that value for ALL of the components based on that template from what I can tell.  This is really really wrong, obviously.  I will open a ticket when time allows as I assume it should only save that value for the current component.

                          • 11. Re: Use of extended object value in Compliance Job
                            Alex Bron

                            Hi Chris,

                             

                            I am very curious to your exact implementation of the property passed to the BLpackage.

                             

                            I have a component template with a local property SHORT_HOSTNAME. This property is filled within a compliance rule:

                            if

                               "Hardware Information.Machine Summary:/System".Manufacturer starts with "HP"

                            then

                               ??SHORT_HOSTNAME?? := "Hardware Information.Machine Summary:/System"."Host Name"  AND

                               "Extended Object Entry:hpasmcli_output//ILO"."Value1 as String (All OS)" contains "??SHORT_HOSTNAME??"

                            end

                            So I check on HP servers that the ILO name contains the server's hostname. If that check fails, a remediation package is launched that will set this name. The remediation package has a local property ILO_PROMPT and in the remediation-part of the rule I set the value of ILO_PROMPT to ??SHORT_HOSTNAME??. However when I run this compliance rule, the value of ??SHORT_HOSTNAME?? is not passed to the remediation package. If I change ??SHORT_HOSTNAME?? to an actual string, that string is passed.

                             

                            My big question is: what do I need to do in order to pass the local property SHORT_HOSTNAME of the component into the remediation package...

                             

                            Thanks for any help!

                            • 12. Re: Use of extended object value in Compliance Job
                              richard mcleod

                              First you need to setup your BL Package to accept a parameter, after that set it as a remediation package in compliance, you should now have to fill in a value, click the down arrow and you should see the list of variables/properties available in the component template.

                              • 13. Re: Use of extended object value in Compliance Job

                                Hi Alex,

                                 

                                If you're getting the SHORT_HOSTNAME populated already, then just follow Richard's response to get the value in to the remediation package, but it sounds like maybe the value isn't populating.

                                 

                                Looking at your rule I would think it should work, however, I'm using the assign operand as the first item so perhaps try re-ordering the statements like this (I think this syntax is correct):

                                 

                                ??SHORT_HOSTNAME?? := "Hardware Information.Machine Summary:/System"."Host Name"  AND

                                (if

                                   "Hardware Information.Machine Summary:/System".Manufacturer starts with "HP"

                                then

                                  
                                   "Extended Object Entry:hpasmcli_output//ILO"."Value1 as String (All OS)" contains "??SHORT_HOSTNAME??"

                                end)



                                • 14. Re: Use of extended object value in Compliance Job
                                  Alex Bron

                                  Thanks for the tip. That part I managed to do. However unless I add a line:

                                   

                                     ??SHORT_HOSTNAME?? persist "??SHORT_HOSTNAME??"  AND

                                   

                                  to my compliance rule, the property is empty when passing to the blpackage. With the "persist" rule, I hit the same bug as Chris has: the property is filled for all components based on this template. Will most probably raise the same issue with BMC Support.

                                  1 2 Previous Next