4 Replies Latest reply on Dec 7, 2016 7:00 AM by Bill Robinson

    Compliance rules in Server Automation : BSA 8.5

    Rohini Chaudhari

      Hi,

       

      I have installed Compliance-content where I have selected DISA - Windows Server 2008 R2 MS. Here, I have changed the rule in compliance tab to 60/90/180 days for Maximum password age as by default it is 60 days. After this, discovered job on this server. Now, I ran the compliance job on this server. I got the result as compliant.

       

      The question is though I am checking it for 60/90/180 days I am getting the result as compliant. Why? and When will I get it as non-compliant?

       

      And after getting it as non-compliant what is the procedure to make it as compliant?

       

      Can I have an some another example for this which includes use of exceptions tab and export compliance results tab?

       

      Please, suggest for the same.

       

      Regards,

      Rohini Chaudhari.

        • 1. Re: Compliance rules in Server Automation : BSA 8.5
          Bill Robinson

          so what is the specific rule you are looking at here?

          what change did you make?  can you show a screenshot ?

          in the rule result that is non-compliance can you show the result and what part is showing as non-compliant and why ?

           

           

          "And after getting it as non-compliant what is the procedure to make it as compliant?"

          -> the rule may have a remediation package associated w/ it.  since this seems to be a gpo setting, you may only be able to remediate the 'local' setting on a domain member server and if the same setting is being pushed from a domain level gpo you would need to do the remediation at the domain level (since the domain setting will override the local)

           

          "Can I have an some another example for this which includes use of exceptions tab and export compliance results tab?"

          -> before you got setting exceptions i think you should first figure out why the rule is not compliant if you think it should be...

          • 2. Re: Compliance rules in Server Automation : BSA 8.5
            Rohini Chaudhari

            Hi,

             

            Please find the below screenshot for the change I did in DISA -Windows Server 2008 R2 MS.

             

             

            Here, I have change 60 to 180. I got the result as compliant though I change it to 60/80/180 days.

             

             

            Please, suggest for the same.

             

            Regards,

            Rohini.

            • 3. Re: Compliance rules in Server Automation : BSA 8.5
              Jim Wilson

              60, 80 and 180 are all between 1 and 180

              • 4. Re: Compliance rules in Server Automation : BSA 8.5
                Bill Robinson

                so:

                "The question is though I am checking it for 60/90/180 days I am getting the result as compliant. Why? and When will I get it as non-compliant?"

                -> when the value of the setting is not between 1 to 180.

                 

                "And after getting it as non-compliant what is the procedure to make it as compliant?"

                -> open the rule in the template, does it have a remediation blpackage associated?  if so, this should make it compliant for at least the local setting. if this is a domain member you may need to remediate on the domain controller in the domain to affect the 'effective setting' which may be delivered by a domain level GPO.