In this article by Abhijeet Shriram Janwalkar, the author of VMware vRealize Configuration Manager Cookbook, we will discuss how to check compliance, create exceptions so that we don’t get any false positives, and finally, create some Alert Rules that will alert us when non-compliant rules are found.

(For more resources related to this topic, see here.)

Checking the compliance of the infrastructure

After creating all the rules, rule groups, and templates, we need to check the compliance of the infrastructure. We will learn how to check how compliant we are against internal standards, or we can directly use standard compliance packs we have already downloaded and imported.

We will use a standard imported template for this recipe.

Getting ready

All the heavy lifting should have been done on the VCM server: it should be ready with the templates and at least one machine group, which will have the machines for whom we need to check the compliance, or we can use the default machine groups available. Using our own machine group is preferable.

How to do it…

As mentioned earlier, we will use an imported standard template, International Organization for Standardization 27001-27002- Windows 2008 R2 Mbr Server Controls, and we will run this against the default machine group, All Machines.

Follow these steps to check the compliance of the Windows servers:

1. Once logged in to VCM, go to Compliance | Templates
   

   Make sure the correct machine group is selected from the top; this is how VCM decides which machines to apply the template to measure the compliance. If you want to change the machine group, click on the Machine Group, and from the popup, select the correct machine group.

2. Select the required template from the right-hand side and click on Run.

    

3. Depending upon the organization policies, decide to enforce or not enforce the compliance.
   

   Not all rules are enforceable; also, we can cause issues such as breaking a working application; for example, if the print spooler service is required to be disabled and we disable the service when we enforce the compliance, this will create an issue on the printer farm as it will stop functioning. So it is better that we first learn what is non-compliant and then make necessary exceptions. We can then enforce compliance from VCM or can ask the respective server owners to take the necessary action.

    

4. In a few minutes, depending on how many machines there are to check in the machine group, the compliance run will finish. Click on Close.

    

5. The compliance status can be viewed by navigating to the template on the left-hand side and selecting the correct machine group from the top.

    

In our case, our support team needs to work a lot as we are non-compliant.

How it works…

When we ask VCM to check compliance, it first applies the filters available in the rule groups, and then, only the machines that pass those filters are considered.

The compliance checks are performed on the data collected by VCM and are available in the database, unlike some other tools that perform the checks at the client end, after which the client submits the data to VCM. The process followed by VCM is better as this can be performed on servers that are offline at that time, and when we check the result, we get the value because of which the machine is non-compliant for a rule.

Again, this has some issues as well: first, we need to make sure our VCM is clean. By this, I mean whether a machine is purged from VCM when it is decommissioned, or else we will have details of machines that are not present in the infrastructure, and that could affect our final compliance score.

The second issue is that it does not give us live details as it works on the data in its database; again, this can produce false positives.

To counter this issue, we can schedule a compliance check after a full data collection for that machine group, in which way we will not have stale data to process.

Once the compliance has been checked, and if we have chosen to enforce the compliance, it will create jobs to enforce them and will start executing on the managed machines; for example, if we have rules to check the status of a service and expect certain services in the running state, then VCM will start those services.

Creating compliance exceptions

As you know, every rule has an exception, and this is applicable to compliance as well: you create a rule for blocking the SMTP port on all the servers, and then, you have mail servers that need this port active. Now, we can’t block the port, but at the same time, we know this is a known and accepted deviation; hence, we don’t want our compliance score to suffer a hit because of this. To solve this, what we can do is add an exception so that this will not create issues while checking compliance.

Getting ready

Our organization has a policy to disable unwanted services on servers, and the print spooler is considered an unwanted service, so it must be disabled on all the servers but, of course, the exceptions are the print servers. We will create an exception for the print server machine group to be excused from this mandate.

We will need rules created in VCM along with a machine group that will include all the print servers.

How to do it…

Let’s create an exception for our print servers by following these steps:

1. Log in to VCM and go to Compliance | Machine Group Compliance | Exceptions.

   Click on Add.

    

2. Provide a descriptive Name and Description, and click on Next.

    

3. Select the template for which you want this machine group to be excluded.

   In this case, we are selecting the one created by our organization rules. Click on Next.

    

4. Select the machine group created for this exception; in our case, it is named Print Servers. Click on Next.

   

5. Select Override non-compliant results to compliant.

    I really don’t know why there is another option, but there must be a use case that I am not aware of.

    

6. We want this exception only for our rule for the print spooler server, called Service_Print_Spooler; so select that rule. Depending upon you requirement, you can have the exception for a complete rule group as well. But having exception for a single rule is sufficient in our case.

   Click on Finish.

    

7. You can enable/disable this exception as per requirement.

    

How it works…

Exceptions are considered when we do a compliance check, and a final score is calculated. By creating an exception, we make sure that we don’t get a bad score just because we need to have some things non-compliant. Also, this helps when we are enforcing compliance like in the earlier case, where we enforced Service Status to be disabled then VCM disabled the print spooler service on all the servers including the print servers, and that would have affected productivity.

So, creating compliance exception is a win-win situation for both teams: the security team has a nice compliant environment and the printer admin team has a working print farm.

Creating compliance alert rules

Nobody likes to wait and nobody likes to work on Excel, so what if we get a ticket in our ticketing tool if a managed machine is non-complaint. We can create alerts and then maybe integrate them with a ticketing tool that can create a ticket for us, or VCM can send an e-mail to configured e-mail IDs.

Getting ready

We will need a working VCM server that is configured to check compliance.

How to do it…

This is a two-step process; first, we need to create an alert rule and then associate the created alert with the machine group.

So, let’s begin creating a compliance alert:

1. Log in to VCM and go to Administration | Alerts | Rules. Click on Add.

    

2. In the wizard, give descriptive name and add a description. Click on Next.
3. Select Compliance Results Data as the Data Type and click on Next.

    

4. As we want to create an alert for the non-compliancy of the rules created for our organization standards, select the appropriate compliance template. If we want an alert for the ISO 27001-27002 standard, we should have opted for that template.

    

5. On the next page, accept the newly create rule by clicking on Finish (the button is not in the screenshot).

    

   The next process is to associate this Rule to correct Machine group. So we will continue to step 6.

6. Now move to Administration | AlertsàMachine Group Configuration, and select the Machine group for which you would like the alert to be generated and click Add.

    

7. Select the alert we created and click on Next.

    

8. Select Severity and click on Next (not shown in the screenshot).

    

9. Select the actions that need to be done when the alert is created: we can send an e-mail, we can send an SNMP trap to a monitoring system or VCO that will create an alert in the organization ticketing system, or we can write the log to the Windows event log, and then, from there it will be picked up by the monitoring system to create a ticket. We are choosing to send an e-mail to the concerned people or teams.

    

10. Provide the details of who should receive the e-mail, the sender’s e-mail ID, the SMTP server, e-mail subject, and modify the message body.

     

11. If required, you can check for alerts and click on Finish to close the wizard (the button is not shown in the screenshot).

     

12. The alerts can be seen at Console| Alerts.

     

How it works…

We can’t just depend on reports for checking compliance, even though that is a good way to check the status, but getting alerts for a non-compliant machine can be more proactive than going through a report. When we check or schedule a check for compliance, the result can be stored in the VCM database and is fetched when we visit the Compliance tab on the VCM console, Alerts provide a more proactive approach: they tell you that there is something wrong and you need to check it, so after every compliance check, if that machine group has something non-compliant, an alert will be created and that will take configured actions like sending an e-mail, sending an SNMP trap, or writing an event to the Windows logs. Those can be proactively worked upon rather than going to the console and checking the reports.  

Summary

In this article, we learned how to check compliance using a standard imported template. We also learned how to create exceptions for our compliance rules so that standard services can be run without causing our score to go down. Finally, we looked at alerts and ticketing systems.

Resources for Article:

---

Further resources on this subject:

• VM, It Is Not What You Think! [article]
• vRealize Automation and the Deconstruction of Components [article]
• Deploying New Hosts with vCenter [article]

---