4 Replies Latest reply on Nov 21, 2016 2:49 PM by Justan Suss

    List of all my exception stored in my components

    Abid Khemiss

      Hi Blade communities,

       

      Because compliance exceptions are stored within components, and all my components are only labeled based on the jobs that auto-discovered them, I don’t have any way of knowing what exceptions I’ve created and / or where they are.

       

      I think the solution will be to add a couple of jobs when we enroll new servers (run a discover job to create components) so we have an easier means of organizing / sorting components as they’ll all be using the same name. And to address current state I’m thinking we should delete all existing components and start from scratch, and just re-do the few exceptions I currently have.

       

      Is there a better way?

       

      Thanks!

       

      Abid

        • 1. Re: List of all my exception stored in my components
          Bill Robinson

          " and all my components are only labeled based on the jobs that auto-discovered them"

          -> no - the component name is based on the Template, local parameter instance (if used) from the template and the server name.  It sounds like maybe the name of some of the templates changed.  that does not trigger an update of the component name for existing components.  that should be fairly easy to fix w/ some blcli.

           

          " don’t have any way of knowing what exceptions I’ve created and / or where they are."

          -> not sure what that has to do w/ the name of the component.  the exception is associated w/ the component.  where else would it be ?

           

          "I think the solution will be to add a couple of jobs when we enroll new servers (run a discover job to create components) so we have an easier means of organizing / sorting components as they’ll all be using the same name."

          -> not sure how that will help.  you know you can use the Template as a filter in the component smart group creation right ?  all components associated w/ a certain template.

           

          "And to address current state I’m thinking we should delete all existing components and start from scratch, and just re-do the few exceptions I currently have."
          -> why ?  how will that help you w/ creating and managing exceptions.

           

          you seem to be conflating two different problems.  some supposed issue w/ how the components are named and finding exceptions associated w/ your components.

           

          why do you need to get the list of exceptions ?  what will you do w/ them ?

           

          • 2. Re: List of all my exception stored in my components
            Justan Suss

            Hi Bill,

             

            Abid posted this for me, so here's the answers as best as I can:

             

            Component names:

            My compliance Jobs all share the same name as the template that has the rules. I thought the component name came from the job, thus my confusion.

             

            Why it's a challenge to find where the exception is assigned:

            I have several cases where each server has multiple components all with same / similar names. One reason is because I have multiple templates that might contain the target component in question. I'm working a great deal around the SCHANNEL reg hive in Windows, so I have templates based on zip kits (ex: Poodle - SSL v3) other users import and run. I also have a template that does allow auto-remediation for 'senior' staff to use and another template that prohibits auto-remediation. So with each server having multiple components that can / do include the reg hive in question, I don't know how to run a report to find "All exceptions re: SCHANNEL registry settings" on any or all Windows servers. Unfortunately the BDSSA report seems to require I list specific templates... but seeing as no one person creates / manages all our templates, besides opening each one to see what's in it, I can't see a way of getting a grasp on what's going on and ensuring that say 'remediation job from template A, doesn't apply settings to a server where there's an exception applied in 'Component B of template B'.

            I'll also have 2 templates of same name. One is my 'live / prod template', and a second is in my test / working folder. So if I run my use my TEST copy of a template to just run a compliance job w/o remediation just to see what I capture, and for 'pre-test evidence' as part of our internal change management processes.

             

            Running a discovery job at time of server enrollment:

            I figure that if my problem is because each server object can have multiple components, why not ensure I have a one to one relationship between servers and components and then ONLY ever target components / never run auto discover jobs. I figure that way I won't see multiple templates / components competing over the same settings on a particular server.

            Sorry, I have no idea what you mean about using templates as filters in component creation, or why that could help. Is there a document or article or something that could both explain how to use them, and provide background on how / why that'd be helpful in a situation like mine?

             

            Why Deleting current components and starting over might (hopefully) help:

            I'm still in early stages of creation the compliance and remediation jobs for our company (we're a rather new customer). I figure if I thrash the current state, and start anew using some best practices and (hopefully) reducing the number of components with the same settings, I won't run the risk of one component being used to apply settings for which we have an exception applied via a different component.

             

            Why do I need / want to find all exceptions:

            My organization grants 'ownership' of servers to different depts. As such, some depts. will insist their server be exempt from certain hardening steps and demand evidence that we have prepared the exceptions. I will need to assure them hat when I execute a compliance job using template A, component A and job A, that I won't apply an undesired setting they set as an exception in component B.

            Ultimately, I need to be able to run a report along the lines of 'show me ALL exceptions that are set for SERVER1". That being a requirement, it seems like having a 1 to 1 relationship from server to component, would make it a far simpler to find exceptions and then edit / delete, etc, etc.

            • 3. Re: List of all my exception stored in my components
              Bill Robinson

              Why it's a challenge to find where the exception is assigned:

              Can't you make a bdssa report that includes the template, the component and the exception in query studio or report studio ?  it seems like since you don't know what templates may exist in the env, and where exceptions are set this would be the best bet.

               

              Running a discovery job at time of server enrollment:

              if you want to create a Component Smart Group to list all the components associated w/ a template you can use 'TEMPLATE' as one of the filters in the smart group - just create a new smart component group and you'll see what i mean.  this would be the same as expanding the template in the Templates workspace and seeing all the components under it.

              The only way to keep all of these 'duplicates' from showing up is to control who creates templates and who runs discovery.  and having a review process for users creating templates.  or just not letting anyone create templates but your security group or whoever needs to manage compliance.

               

              Why Deleting current components and starting over might (hopefully) help:

              sure - but if you keep allowing anyone to run discovery and make templates it won't be very long until you are back to your current state.

               

              Why do I need / want to find all exceptions:

              the problem is not the 1-1 relationship of server to component.  the problem is you have different people making copies of templates and then discovering/creating components on the same set of servers. 

               

              this seems more like a policy issue than anything else - typically there is a central set of templates for whatever compliance policy you need to enforce.  you may have a central group that runs the discovery and compliance, and then let each group deal w/ setting the exception or running the remediation.  you can either have a policy that says those are the templates the security people use and still let the individual groups do what they want wrt templates and compliance but the source of record remains the central set of templates/components/exceptions.  if they go off and do their own thing w/ remediation and exceptions outside of the central templates and that conflicts, too bad for them.  the central rules are enforced.  or you can prevent those groups from creating templates at all.

              1 of 1 people found this helpful
              • 4. Re: List of all my exception stored in my components
                Justan Suss

                Thanks for the prompt reply. Your suggestions re: plotting out who can / can't create templates; seems like a place for us to have discussions amongst ourselves.

                 

                I'll poke around the filters available in smart groups, though I think you hit the nail on the head when you point out where we should e implementing some controls around this.

                 

                thanks!

                 

                - Justan