Compliance Check

In large environments, where thousands of components are being monitored, the biggest challenge for administrators is to verify whether/not the latest OS patches/security fixes/software updates are available on all the machines, and to identify the ones where the required OS patches/security fixes/software updates do not exist. To ease the pain of administrators, a gold template aka compliance check template can be created and run across the components to find out deviations. While creating a template, administrators need to configure a few conditions based on which the compliance check should be performed. For example, administrators may wish to check whether the latest security update pushed in the target environment is available across all Windows machines or not. To do this, the administrators need to create a template and configure a condition that checks the availability of the security update on all Windows machines. Based on the condition that is configured on the template, compliance check is performed on all Windows machines in the target environment.

The following sections explain how to create a template for performing the compliance check and run it across the components.

Creating a Template

The templates are created with required configurations and run to check whether all the machines are configured with similar settings or not. To create a template, do the following:

  1. First, access the Compliance Check page in the Configuration Management console by selecting the Template(s) option under the Compliance Check node of the Configuration menu.

  2. Figure 2 will then appear. By default, Figure 2 reveals the list of templates (if any) in the target environment. If no templates pre-exist, then Figure 2 will display a message indicating that templates are available.

    Message showing unavailability of templates

    Figure 2 : A message indicating that no templates are available

  3. To add a new template, click on the Add New button in Figure 2. Figure 3 will then appear.

    Adding template

    Figure 3 : Adding a template

    To create a template, first specify a name and brief description for the template in the respective fields. For example, to create a template for verifying whether a particular software installed on a standard machine is installed on all the Windows machines in the target environment, select Microsoft Windows as the Component type, pick the standard machine from the Component list, and select Hotfix/Patch test from the Enabled Configuration Tests list (see Figure 4).

    Configuration of template

    Figure 4 : Configuring details for the template

  4. Selecting the configuration test will invoke Expected Number of Descriptors fields (see Figure 4) using which you can define minimum and maximum number of descriptors for the chosen test. Next, clicking on the Submit button will direct you to Figure 5.

    Configuration details for selected test

    Figure 5 : The configuration details for the chosen test

  5. You can configure the number of columns to be displayed in Figure 5 by clicking the Select Required Columns Window icon icon. This will prompt a window as shown in Figure 6. Then, you can check/uncheck the options provided in the window based on which the Configuration Details page should display the details.

    Selection of required columns

    Figure 6 : Selecting the required columns to be displayed

  6. To add compliance conditions based on which the deviations are identified, click on the descriptors listed in the Name column in Figure 5. Clicking any of the descriptors will display the Add/Modify Conditions window using which you can define the required conditions (Figure 7).

    Add/Modify Conditions window view

    Figure 7 : Add/Modify Conditions window

  7. Now, configure the conditions for the chosen descriptor and the measure reported for it. For instance, lets say you wish to check whether the mandatory security update installed on the standard machine is installed on the other machines or not. For this purpose, you can set one or more conditions using the Condition list for the chosen descriptor. The measure deviations will be checked based on these conditions when you run the template. Likewise, you can also set the conditions for the values reported by the chosen descriptor (see Figure 8).

    Configuration of conditions for template

    Figure 8 : The conditions configured for the template

  8. Click on the Save button in Figure 8 to register the changes. This will direct you to Figure 9. To modify and delete the template, use the Modify icon (Modify) icon and the Delete icon (Delete) icon provided in Figure 9

    Template details

    Figure 9 : The template details

  9. You can view the templates that you created in the Compliance Check - List of Templates page as shown in Figure 10.

    List of templates

    Figure 10 : The list of templates

    Figure 10 reveals the name and brief description of the template, the time stamp at which the template was created and modified, owner of the template and status indicating whether/not the template is enabled to perform the compliance check. If the enabled status icon is not displayed for any template, it indicates that template is not complete and not enabled for running a compliance check. In addition, you can modify or delete the template using the Modify icon (Modify) icon and the Delete icon (Delete) icon provided against each template.

    Running Compliance Check Using the template

    To run the compliance check and identify the measure deviations (if any), do the following.

    1. Expand the Configuration menu and select Run option under the Compliance Check node. The Compliance Check - Run page will then appear.

      Selection of template for compliance check

      Figure 11 : Selecting a template for checking compliance check

    2. In Figure 11, select an entity for which you want to run the compliance check from the Scan for drop down list. The options provided by the Scan for list are discussed hereunder:

      • Component: Select this option to choose the component(s) from across all the managed components in the environment.
      • Zone: To run the compliance check on one/more components that are included in a zone, pick the Zone option. A Zones drop-down list will then appear, from which you would have to select the zone to which the components of interest to you belong. A Sub zone flag also appears. Indicate whether the components present within the sub-zones of the chosen zone are also to be to be considered for compliance check, by setting the Sub zone flag to Yes.
      • Segment: If you want to run the compliance check on one/more chosen components that be long to a segment, select the Segment option from Scan for list box, and then pick the Segment from the drop-down list that appears.
      • Service: If you want to run the compliance check on one/more components involved in the delivery of a service, select the Service option from Scan for, and then pick the required Service from the drop-down list that appears.

    3. Next, select the name of template using which you want to run the compliance check from the Template Name list box. As soon as the template is chosen, the Associated Managed Components box will be populated with all components associated with it. If the Associated Managed Components list consists of too many components, then viewing all the components and selecting the ones you need for compliance check could require endless scrolling. To avoid this, you can click the Components pop up window icon button next to the Associated Managed Components list. The Components pop up window will then appear using which you can view almost all the components in a single interface and Select the ones for which the report is to be generated. You can narrow your search further by using the Search text box. Specify the whole/part of the component name to search for in this text box, and click the Components pop up window icon icon next to it.

    4. Finally, click on the Check Compliance button in Figure 11. Doing so will invoke a dashboard revealing the components that match the predefined conditions in the template and do not match the conditions as shown in Figure 12.

      Compliance Check - Run page view

      Figure 12 : The Compliance Check - Run page

    5. The first section in the generated dashboard displays the percentage of compliance across the chosen components, a doughnut chart that reveals the distribution of chosen components based on the pre-defined conditions in the template - from this doughnut chart, you can easily determine how many components are matching the conditions. This section also displays the total number of components on which the compliance check was performed and the number of matching and non-matching components.

    6. To view more details about the matching components, click on the Meatballs Menu Iconicon in the Matching Components block. This will lead you to Figure 13.

      Details of matching components

      Figure 13 : The details of matching components

      From Figure 13, you can view the conditions defined for the descriptors and the measures, the values and whether conditions are met by the chosen component(s).

    7. Likewise, clicking on the icon in the Non -Matching Components block will reveal Figure 14.

      Details of non-matching components

      Figure 14 : The details of non-matching components

      From Figure 14, you can view the conditions defined for the descriptors and the measures of the chosen component(s), the current configuration values and whether conditions are met by the chosen component(s) or not.

    8. The second section shows a bar graph that helps you to determine top-10 components that are not fulfilling the conditions in the template.
    9. The third section shows a bar graph that helps you to determine top-10 components that failed to meet the requirements in the rules of the template.