8 Replies Latest reply on Sep 20, 2010 7:36 AM by Bill Robinson

    Compliance  Remediation Problem



      I have been over the user guide time and time again and it is rather confusing with regards to remediating with compliance jobs.  Firstly you can specify in a compliance rule template your own blade logic package to use if the rule fails.  The guide suggests that if you have multiple rules you have to do this as BL is not intelligent enough to create remediation packages for jobs with multiple rules.  I have set this correctly.


      Now, when you create a new compliance job you are asked whether to auto remediate, and you have to specify locations for the auto generated packages etc.  However the user guide suggests this option is when a BL package has not been explicitly specified in the template rule.


      I have tried running the new job having specified my own BL package, but not  specifying the auto remediate job.  what is the point in BL creating its own packages and cluttering up the depot when you have specified the remediation package !  Anyhow it seems this did not run the package against failed targets.


      So, if you wish to specify your pwn package, do you also HAVE to enable auto remediate which then BL creates further packages for ?  If this is the case what is the point in specifying your own remediation BL package ?



      Any assistance to clarify this would be gratefully received.





        • 1. Re: Compliance  Remediation Problem

          I'm using BL 7.6.

          • 2. Re: Compliance  Remediation Problem

            The reason BBSA creates new BLPackages for a given target is that not all targets will require the same changes to remediate the selected rules.  The underlying engine will create the packages necessary to acheive a compliant state on all targets.

            1 of 1 people found this helpful
            • 3. Re: Compliance  Remediation Problem

              So why do you need to specify a BL package I have created in the first place if it knows what is required to remediate each host ?    Seems like a uneccesary thing to do.





              • 4. Re: Compliance  Remediation Problem

                For Compliance jobs to be able to remediate a rule you have to include a BLPackage telling it how to remediate it. This does not work the same way for audit jobs, perhaps that is why there is sometimes confusion as to how this feature works.


                When selecting many machines and/or many rules to remediate, BL will intelligently combine the necessary changes into an efficient combination of BLPackages/Jobs.  Otherwise, when remediating multiple hosts, you'd have one package per rule per target... which would be far less efficient.

                • 5. Re: Compliance  Remediation Problem

                  Ah, ok, so it only applies the remediation steps in a package on a per rule basis.  From the manual it suggests a package is optional as BL takes a delta of the values found and those set in the rules and applies those, and it is these that make up the remediation package - hence my confusion over why i then also need to provide one.  So, to clarify, providing a BL Package i have created is a mandatory step for auto remediation as a delta between values set and those in the rules could be, cleverly worked out automatically



                  • 6. Re: Compliance  Remediation Problem

                    I will sometimes use the same Component Template to do a snap/audit against a 100% compliant server, then package the deltas for each rule.  That is a sort of shortcut to creating packages for the compliance rules.

                    • 7. Re: Compliance  Remediation Problem

                      So, is there any point in creating a package that sets all properties to the required values, and using that as the remediation package ?  If as you say BL works out which bits, per host, need remediating, and only applies the appropriate aspects of the package to each host, why create separate packages per element in a rule.  In this example I have all the tests in a single rule, to avoid having to create umpteen remediation packages which in many cases is too time consuming.  I need to understand how BL handles all this, as it is very unclear from the user guide


                      Thanks again.



                      • 8. Re: Compliance  Remediation Problem
                        Bill Robinson

                        Regardless of how you do it (via jude’s snapshot method or otherwise) you need to create 1 remediation package per rule.  Bladelogic cannot automatically create and associate the remediation packages that are associated w/ the rule.