1 2 Previous Next 18 Replies Latest reply on Jun 28, 2013 10:31 AM by Joe Piotrowski

    Compliance Exception

      Dear Folks,


      I am a newbie on this area. Please help the following..


      It is an example:-


      There have a server has applied the exception on Automatic Update of Windows Service. The start type of this service should be Automatic and keep running. However, on our general compliance policy, this service should be disabled and stopped.


      How to define the specific value on exception in the compliance template?


      Our Bladelogic Server Automation version is


      Thank you very much..

        • 1. Re: Compliance Exception
          Joe Piotrowski

          When you create a Component Template, make sure you have the Compliance option selected. Select Deploy and/or Allow Remediation if you wish to add a remediation package.


          Once your Component Template is created you have to add that service as a Part. Under the Parts tab select the green arrow to add a Part, and live browse a Windows server, expand Services and select the Windows Update service.


          Then select the Compliance tab. Create a new Rule. In the General tab give the Rule a Name. Select the Rule Definition tab. Press the green arrow to create a new condition. Hit the down arrow in the first box, you will see your part "Windows Service:Windows Update." Select the arrow to the left of the name to expand the properties and value you can use for your compliance conditions. For your use case select "Start Type (Windows)." Leave the equals condition. Select the down arrow in the next box and select "DISABLED." In the next box select the AND option. Hit the green check to save the condition. Repeat this process on the next line for "State (Windows)" equals "STOPPED." Your logic should look like this:


          "Windows Service:Windows Update"."Start Type (Windows)" equals "DISABLED" AND

          "Windows Service:Windows Update"."State (Windows)" equals "STOPPED"


          Save your Rule, then save your Component Template. Then run your Discover and Compliance Jobs from this Component Template against the servers you want to check for. If they don't match the Disabled and Stopped conditions, they will fail. You can also easily create a Remediation package for this using that "Windows Service:Windows Update" object. Let me know if you need assistance with that.

          • 2. Re: Compliance Exception

            Hi Joe,


            Thanks for your kind help.


            I could make the compliance rule you mentioned. However, my question is how to make the exception on the compliance template. I would like to use the same example to further explain what I am looking for.


            We have over 500 Window servers on our environment. And we have a compliance template which is designed for those Window servers. One of the rules in this template is the Automatic Update of Windows Service should be "disabled" and "stopped"


            However, some of the Window servers (less than 10) need to open the Automatic Update service for their own reason. Instead of create another compliance template special for those Windows Server (need to open Automatic Update service), does there have any method to make them compliance specifically for those Window Servers by using the same compliance template?


            Please point out my mistake if necessary.


            Thanks again for your help.

            • 3. Re: Compliance Exception
              Joe Piotrowski

              Yes. Under the Discover tab you can set the conditions for the Component Template to run. For example if in your Discover condition you set this condition:


              ??TARGET.OS?? equals "Windows"


              When the corresponding Component Template Discover and Compliance Jobs are run, the target will have to meet this condition first. If they do not, it won't run against them.


              So you will need a way to group those servers together logically, and use that property and value for your Discover condition. If none exist, you will have to create a custom Server Property.

              • 5. Re: Compliance Exception
                Joe Piotrowski

                I think I misunderstood your requirement. Emilio sent the instructions for setting Compliance Exemptions after you run a Compliance Job and want to set exceptions for certain servers for specific rule results.

                • 6. Re: Compliance Exception

                  Dear Joe & Emilio,


                  Thanks for providing the hints. I read the document that Emilio provided. However, the example in that document is Linux. I have no idea doing the same thing (or similar) in Windows. As you may know, there are little bit complicate on Windows platform. Do you have any idea on this? I have different kind of specific settings for some servers other than the Windows Services. If this option can archive our goal, that will be very great and fantastic.


                  Thanks again for your help in advanced.

                  • 7. Re: Compliance Exception

                    The question is how to input the valid data on below dialog box.


                    • 8. Re: Compliance Exception
                      Siddu angadi

                      Hi Gary,


                      You can do one more way, run the job and expand the result. Go to the server's component and add as exception. When you run the same job again, it show compliant with exception to servers you have selected.


                      This is easiest method to apply exception to specific server.




                      • 9. Re: Compliance Exception

                        Dear Siddu,


                        Thanks for your hints.


                        I tested your method. The method you said is seems the Bladelogic is ignored the component rule. It treated the specific server is compliance no matter the value is correct or not.


                        By using the same example I said previous, the rule will be treated as compliant with exceptions no matter the startup type of "Automatic Updates" is Auto / Disabled / Manuel.


                        I don't know the value of that specific server is correct or not. How could I restrict the setting on this?


                        I know the alternative way to do is creating 500+ component templates serve for those servers:-










                        But the content on those component templates are quite similar. Instead of create those 500+ component template, how could I use one component template serve for those 500+ servers?


                        Many thanks for your great help in advanced.

                        • 10. Re: Compliance Exception
                          Joe Piotrowski

                          Gary, let me recap to make sure I understand your requirements.


                          You have ~500 Windows servers. One of your Rules checks to make sure the Windows Update service is set to Disabled and Stopped. Around 10 of your servers should have an exception to that Rule and should not fail Compliance when you run the job.


                          If so, you create the Rule like I specified above. You run the Discover and Compliance Jobs against all your ~500 Windows servers. For the most part, all of the servers will pass Compliance, but some will fail. Especially the servers you actually want the service running and you want to add them as exceptions.


                          Based on your Compliance results, you can add exceptions for each of those servers for that Rule. So when you run Compliance again, they won't show as non-Compliant. They will show as Compliant with Exceptions.


                          You do this by Expanding the Compliance job result. Expand Server View. Expand one of the servers you want to set an exception for. Expand the Rule. Right mouse click on the failed Rule and select Exceptions. Click on the green + symbol to add your exception. Give it a Name and Duration. You can also leverage the Description, Ref Number and Notes fields. Select the Associated Compliance Rules tab. Again select the green + symbol. Browse to that particular Rule and add it by selecting it and pressing the > symbol. Hit OK to close and OK to save.


                          Repeat the process for your other servers. When you run Compliance again, they will show up as Compliant with Exceptions.

                          • 11. Re: Compliance Exception
                            Bill Robinson

                            you should be able to apply the exception to a number of components at once - https://docs.bmc.com/docs/display/bsa83/Setting+multiple+components+as+exceptions+to+compliance+rules

                            • 12. Re: Compliance Exception

                              Hi Joe,


                              Thanks for your help.

                              "Repeat the process for your other servers. When you run Compliance again, they will show up as Compliant with Exceptions."


                              What is the true meaning of "Compliant with Exceptions" ? Is it means that the setting of this value is non-compliant but the value will be treated as compliant value?


                              I want to get the result is below:-

                              For Server001:

                              If the startup type value of Automatic Updates is "Auto", the result is "Compliant (with exception)"

                              If the startup type value of Automatic Updates is "Manual", the result is "Non-Compliant"


                              If I follow your instruction, the result will look like this:-

                              For Server001:

                              If the startup type value of Automatic Updates is "Auto", the result is "Compliant (with exception)"

                              If the startup type value of Automatic Updates is "Manual", the result is "Compliant (with exception)"


                              This means no matter the startup type value is, the result will be treated as "Compliant (with exception)". Therefore, I don't know the true value of Server001 is correct or not.


                              I know there is much complicated. It will be much appreciated if you or any of you could help me.


                              Thanks again for your help in advanced.

                              • 13. Re: Compliance Exception
                                Sean Berry

                                Under what circumstance would the result just be "Compliant", without exception?

                                • 14. Re: Compliance Exception

                                  Hi Sean,


                                  On the general rule of the component template, "Automatic Updates" service should be "Disabled" and "Stopped" on our 500+ Windows Servers. However, some of the Windows Servers need to set as "Auto" and "Running" for their own application reason. Instead of create more than one component template, does there have any method to make those servers still in compliant?


                                  For simple speaking, I just want to get below result by using one component template:-

                                  For example, "Automatic Updates" of Server001 need to be "Auto" and "Running"

                                  If the startup type value of Automatic Updates in Server001 is "Auto", the result is "Compliant (with exception)"

                                  If the startup type value of Automatic Updates in Server001 is "Manual", the result is "Non-Compliant"


                                  Hope you could help me.


                                  Many thanks.

                                  1 2 Previous Next