Configuration compliance. Dell EMC OpenManage Enterprise

Add to My manuals
215 Pages

advertisement

Configuration compliance. Dell EMC OpenManage Enterprise | Manualzz

14

Configuration compliance

Create and manage configuration compliance baselines using built-in or user-created compliance templates. System defined query builders enable you to generate device-level baseline compliance data.

By selecting OpenManage Enterprise > Configuration > Configuration Compliance , you can create configurationcompliance baselines by using the built-in or user-created compliance templates. You can create a compliance template from an existing deployment template, reference device, or by importing from a file. To use this feature, you must have the Enterprise level license of OpenManage Enterprise and iDRAC for servers. For Chassis Management Controller, no license is required.

User's only with certain privileges are permitted to use this feature. See

Role and scope-based access

.

After a configuration baseline is created by using a compliance template, the summary of compliance level of each baseline is listed in a table. Each device associated with the baseline has its own status, however, the highest severity status is considered as the status of the baseline. For more information about Rollup Health status, see the Managing The Rollup Health Status By

Using iDRAC On The Dell 14th Generation And Later Poweredge Servers white paper on the support site.

NOTE: A baseline with multiple devices can sometimes show up as non-compliant permanently as few of the attribute values are not necessarily same across all the targets. For example, the Boot Control attributes such as the iSCSI

Target IQN, LUN ID, FCoE Target WWPN and so on that are not same across all targets and can cause a permanent non-compliance of the baseline.

The Overall Compliance Summary report displays the following fields:

● COMPLIANCE : The Rollup compliance level of devices attached to a configuration compliance baseline. The status of the device with least compliance (say, critical) is indicated as the status of the whole baseline.

● NAME : Name of the configuration compliance baseline.

● TEMPLATE : The name of the compliance template used by the baseline.

● BASELINE LAST EDITED : The most recent date and time when the compliance baseline was run.

To view the configuration compliance report of a baseline, select the corresponding check box, and then click View Report in the right pane.

Use the query builder feature to generate device level compliance to the selected baseline. See

Select a query criteria .

OpenManage Enterprise provides a built-in report to view the list of monitored devices and their compliance to the configuration compliance baseline. Select OpenManage Enterprise > Monitor > Reports > Devices per Template Compliance Baseline , and then click Run

. See Run reports

.

Related tasks

Create a configuration compliance baseline

Edit a configuration compliance baseline

Remove a configuration compliance baseline

Manage compliance templates

Select a query criteria

Topics:

Manage compliance templates

Create a configuration compliance baseline

Edit a configuration compliance baseline

Delete configuration compliance baselines

Refresh compliance of the configuration compliance baselines

Remediate noncompliant devices

Remove a configuration compliance baseline

160 Configuration compliance

Manage compliance templates

Create, clone, and edit compliance baseline templates using a deployment template, reference device, or importing from a file.

Use compliance template to create compliance baselines and then periodically check the configuration compliance status of devices that are associated with the baseline. See

Configuration compliance

.

You can create compliance templates by using deployment template, reference device, importing from a file. See

Manage compliance templates

.

NOTE:

● To perform any tasks on OpenManage Enterprise, you must have necessary role-based user privileges and scope-based operational access to the devices. See

Role and scope-based access

● For best results with deploying templates ensure that your source and target are of like hardware and configurations.

Otherwise attributes that are not available on the target could cause a failure in the deployment. If there are any hardware changes from the source device it is advised to delete the template and recreate.

By selecting Configuration > Configuration Compliance > Template Management , you can view the list of compliance templates based on the scope-based access that you have in OpenManage Enterprise. For example, an administrator can view and manage all the compliance templates, however, device managers can only view and manage the templates that they create and own. On this page:

● You can create compliance template by:

○ Using a deployment template. See

Create a compliance template from deployment template

.

○ Using a reference device. See

Create a compliance template from reference device

.

○ Importing from a template file. See

Create a compliance template by importing from a file

.

● Edit a compliance template. See

Edit a compliance template .

● Clone a compliance template. See

Clone a compliance template

.

● Export report about a compliance template. On the Compliance Templates page, select the corresponding check box, and then click Export . See

Export data

.

● Delete a compliance template. On the Compliance Templates page, select the corresponding check box, and then click

Delete .

Configuration compliance is scalable to a maximum of 6,000 devices. To efficiently manage large-scale configuration compliance activity do the following:

● Disable the default Configuration Inventory task that is triggered automatically and run it manually when needed.

● Create compliance baselines with lesser number of devices. For example, 6,000 devices must be categorized into four separate baselines with 1,500 devices each.

● All the baselines should not be checked for compliance at the same time.

NOTE: When you edit a compliance template, configuration compliance is automatically triggered on all the baselines that it is associated with. If there is a use case of frequent template edits the above scale environment is unsupported, and it is recommended that you associate a maximum of 100 devices per baseline for optimal performance.

Related information

Configuration compliance

Edit a configuration compliance baseline

Remove a configuration compliance baseline

Create a compliance template from deployment template

Edit a compliance template

Configuration compliance 161

Create a compliance template from deployment template

Create a baseline compliance template by using an existing deployment template.

Steps

1. Click Configuration > Configuration Compliance > Template Management > Create > From Deploy Template .

2. In the Clone Deployment Template dialog box, from the Template drop-down menu, select a deployment template that must be used as the reference for the new template.

3. Enter a name and description for the compliance template.

4. Click Finish .

A compliance template is created and listed in the list of compliance templates.

Related tasks

Manage compliance templates

Clone a compliance template

Create a compliance template from reference device

Create a baseline compliance template by using an existing reference device.

Prerequisites

To use the configuration properties of a device as a template for creating configuration baseline, the device must be already onboarded. See

Onboarding devices

Steps

1. Click Configuration > Configuration Compliance > Template Management > Create > From Reference Device .

2. In the Create Compliance Template dialog box, enter a name and description for the compliance template.

3. Select the options to create the compliance template by cloning properties of either a server or chassis.

4. Click Next .

5. In the Reference Device section, select the device that must be used as the 'reference' for creating the compliance

template. See Select target devices and device groups

.

a. If you select a server as the reference, select the server configuration properties that must be cloned.

6. Click Finish .

A template creation job is created and run. The newly-created compliance template is listed on the Compliance Templates page.

Create a compliance template by importing from a file

Create a baseline compliance template by importing from an existing compliance template.

Steps

1. Click Configuration > Configuration Compliance > Template Management > Create > Import from File .

2. In the Import Compliance Template dialog box, enter a name for the compliance template.

3. Select either the server or chassis template type, and then click Select a file to browse through to the file and select.

4. Click Finish .

The compliance template is created and listed.

162 Configuration compliance

Clone a compliance template

Use an existing baseline compliance template to create a new compliance template.

Steps

1. Click Configuration > Configuration Compliance > Template Management .

2. Select the compliance template to be cloned, and then click Clone .

3. In the Clone Template dialog box, enter the name of new compliance template.

4. Click Finish .

The new compliance template is created and listed under Compliance Templates .

Related information

Create a compliance template from deployment template

Edit a compliance template

Edit a compliance template

The compliance templates can be edited on the Configuration Compliance > Compliance Templates page. When editing, selecting or deselecting the template attributes does not change the template-stored attributes and all attributes will still be part of the template if it is exported. It does affect what is deployed.

Prerequisites

● Editing a compliance template that is already associated with other baseline(s), will automatically trigger a configuration compliance for all devices across all the baselines that use the template.

● Editing a compliance template that is linked to multiple baselines having large number of devices may result in a session timeout as the configuration compliance check for all the associated devices may take several minutes. A session timeout does not indicate that the changes made to the compliance template had any issue.

● When editing a compliance template on large-scale systems consisting of 1,000 or configuration inventory of a maximum of 6,000 managed devices, ensure that there are no other configuration inventory or compliance operations running at the same time. Additionally, disable the default system generated Configuration Inventory job on the Monitor > Jobs page (set source to System generated).

● It is recommended that you associate a maximum of 1500 devices per baseline for optimal performance.

● If there is a use case of frequent template edits, it is recommended that you associate a maximum of 100 devices per baseline for optimal performance.

Steps

1. On the Compliance Templates page, select the corresponding check box, and then click Edit .

2. On the Template Details page, the configuration attributes of the compliance template is listed.

3. Expand the attribute you want to edit, and then enter or select data in the fields. To enable the attribute, select the checkbox.

NOTE: Attributes preceded by are not editable and are not considered for compliance.

4. Click Save or Discard to implement or to reject the changes.

The compliance template is edited and the updated information is saved.

Related tasks

Manage compliance templates

Clone a compliance template

Configuration compliance 163

Create a configuration compliance baseline

A configuration compliance baseline is a list of devices associated to a compliance template. A device in OpenManage Enterprise can assigned to 10 baselines. You can check the compliance of a maximum 250 devices at a time.

Prerequisites

Ensure that you have created the appropriate compliance template.

About this task

To view the list of baselines, click OpenManage Enterprise > Configuration > Configuration Compliance .

The list of compliance baselines available to you depends on your role and scope based access privileges in OpenManage

Enterprise. For example, an administrator can view and manage all the compliance baselines, however, a device manager can only view and manage the compliance baselines created and owned by that device manager. Also, the target devices available to the device managers are restricted by the devices / device groups that are in their respective scope.

You can create a configuration compliance baseline by:

● Using an existing deployment template. See

Configuration compliance

.

● Using a template captured from a support device. See

Create a compliance template from reference device

.

● Using a template imported from a file. See

Create a compliance template by importing from a file

.

When you select a template for creating a baseline, the attributes associated with the templates are also selected. However, you

can edit the baseline properties. See Edit a configuration compliance baseline

.

CAUTION: If a compliance template used for a baseline is already associated with another baseline, editing the template properties changes the baseline compliance levels of devices already associated. Read through the

Error and Event message displayed and act accordingly. For more information about error and event messages, see the

Error and Event Message Reference Guide

available on the support site.

Steps

1. Select Configuration > Configuration Compliance > Create Compliance Baseline

2. In the Baseline Information Section: a. From the Template drop-down menu, select a compliance template. For more information about templates, see: b. Enter a compliance baseline name and description.

c. Click Next .

3. In the Target section: a. Select devices or device groups. Only compatible devices are displayed. See:

NOTE: Only compatible devices are listed. If you select a group, the devices that are not compatible with the compliance template, or the devices that do not support the configuration compliance baseline feature, are exclusively identified to help you select effectively.

4. (Optional) In the Schedule and Options section: a. Check the Schedule box and specify when the notification would be triggered by selecting either Notify any time the baseline becomes non-compliant or Notify on Schedule .

b. To schedule the notification at a later date and time, select Run Later and select the Date and Time . Alternatively, to trigger the notification on a weekly or daily basis, select Run On Schedule and select Daily or Weekly from the drop-down list and specify a time in the 12-hour format.

c. From the Format menu select one of the following formats for the Configuration Compliance report: HTML, CSV, PDF,

XLS.

d. In the Email Recipient box, enter the email address that must receive the notification. If email is not configured, you

must configure the email (SMTP) address. For more information, see: Configure SMTP, SNMP, and Syslog

5. Click on Finish

Results

Whenever a configuration baseline is created, a configuration inventory job is automatically created and run by the appliance to collect the inventory of the devices associated with the baseline for which the inventory data is unavailable. This newly-created

164 Configuration compliance

Configuration inventory job has the same name as the baseline for which the inventory is collected. Also, on the Configuration

Compliance page a progress bar indicating the progress of Inventory job appears alongside the respective baseline.

Related information

Configuration compliance

Remove a configuration compliance baseline

Edit a configuration compliance baseline

Edit the devices, name, and other properties associated with a configuration baseline.

About this task

CAUTION: If a compliance template used for a baseline is already associated with another baseline, editing the template properties changes the baseline compliance levels of devices already associated. See

Edit a compliance template

. Read through the Error and Event message displayed and act accordingly. For more information about error and event messages, see the

Error and Event Message Reference Guide

available on the support site.

Steps

1. Select Configuration > Configuration Compliance .

2. From the list of configuration compliance baselines, select the corresponding check box, and then click Edit .

3. In the Edit Compliance Baseline dialog box, update the information. See

Create a configuration compliance baseline

.

Results

Whenever a configuration baseline is edited, a configuration inventory job is automatically triggered to collect the inventory of the devices associated with the baseline for which the inventory data is unavailable. This newly-created configuration inventory job has the same name as the baseline for which the inventory is collected. Also, on the Configuration Compliance page a progress bar indicating the progress of inventory job appears alongside the respective baseline.

Related tasks

Manage compliance templates

Select a query criteria

Related information

Configuration compliance

Remove a configuration compliance baseline

Delete configuration compliance baselines

You can delete the configuration compliance baselines on the Configuration > Configuration Compliance page and delink the devices from the associated baselines.

Prerequisites

To perform any tasks on OpenManage Enterprise, you must have the necessary user privileges. See

Role and scope-based access

About this task

To delete the configuration compliance baselines:

Steps

1. Select the baseline(s) from the baselines listed on the Configuration Compliance page.

2. Click Delete and click Yes on the Confirmation prompt.

Configuration compliance 165

Results

The deleted configuration baselines are removed from the Configuration Compliance page.

Refresh compliance of the configuration compliance baselines

Periodically refresh the compliance status of configuration compliance baselines. The roll-up status is used. For example, if a device in a baseline is critical, then the status of the baseline is indicated as critical even if other devices are in healthy status.

About this task

The compliance status check of a compliance baseline is triggered automatically if changes are made to either the attributes of the baseline reference template or if there is any change to the configuration inventory of any of the baseline-associated devices.

The compliance status of a configuration compliance baseline is a roll-up compliance level of the devices attached to that configuration compliance baseline. The status of the device with least compliance (say, critical) is indicated as the status of the whole baseline.

The overall compliance summary of all the configuration baselines is represented on a donut chart located above the Baseline grid. The Compliance Last Run Date and Time is displayed below the chart.

Compliance status check on large baselines may take several minutes, however, you can click Refresh Compliance Summary to get an overall compliance summary of the devices on an as-needed basis while the large baseline compliance jobs are running.

NOTE:

● When the Configuration Compliance is in 'Running' status, initiating new jobs that impact baselines, such as editing of a compliance template or baseline, is not allowed.

● Clicking on the Refresh Compliance Summary only refreshes the overall compliance chart and not every individual baseline. To update individual baselines, trigger an edit baseline job:

1. Select the baseline.

2. Click on Edit.

3. On the dialog box, click on Finish .

Steps

1. Click Configuration > Configuration Compliance , the Configuration Compliance page is displayed.

2. Click Refresh Compliance Summary.

Results

The compliance refresh job (Load Summary of Compliance) is initiated and the overall compliance summary at that moment is displayed through the donut chart and the Compliance Last Run Time is updated.

Remediate noncompliant devices

On the Compliance Report page of a baseline, you can remediate the devices that do not match the associated baseline by changing the attribute values to match with the associated baseline attributes.

About this task

The Compliance Report page displays the following fields for the target devices that are associated with the compliance template baseline:

● COMPLIANCE : The status of the device with least compliance (for example, critical) is indicated as the status of the device.

● DEVICE NAME : The Name of the target device associated with the baseline.

● IP ADDRESS : The IP address of the target device.

● TYPE : Type of the target device associated.

● MODEL : Model name of the target device.

166 Configuration compliance

● SERVICE TAG : The service tag of the target device.

● LAST SUCCESSFUL INVENTORY TIME : The most recent date and time a successful inventory job was run. To initiate a new default inventory job, navigate to Monitor > Jobs and run the Default Inventory Task.

You can use the Advanced Filters to quickly see non-compliant devices. Also, the Select All and sorting support can be used on

Configuration compliance results. To undo the filters, click Clear Filters .

To view the drifted attributes of a noncompliant target device, select the device and click View Report . The Compliance

Report of the respective target device lists the attribute names with the expected and current values of the attributes.

Steps

1. Select Configuration > Configuration Compliance .

2. From the list of configuration compliance baselines, select the corresponding check box, and then click View Report .

3. From the list of noncompliant devices, select one or more devices, and then click Make Compliant .

NOTE: All attributes that are part of the template will be applied on the target device irrespective of the compliance status so a reboot may be required to apply the changes.

4. Schedule the configuration changes to run immediately or later, and then click Finish .

To apply the configuration changes after the next server reboot, you can select the Stage configuration changes to device(s) on next reboot option.

Results

A new configuration inventory task is run, and the compliance status of the baseline is updated on the Compliance page.

Export a compliance baseline report

A complete or partial list of the devices associated with a compliance template baseline can be exported to a CSV file.

About this task

Steps

1. Navigate to the Configuration > Configuration Compliance > Configuration Report screen of a configuration baseline

2. Click Export All to export details of all the devices in the compliance baseline. Or,

3. Click Export Selected after selecting the individual devices from the report.

Remove a configuration compliance baseline

Disassociate one or more devices from a configuration compliance baseline. Compliance data and configuration inventory of such devices is also deleted from the appliance.

About this task

You can remove the configuration compliance level of devices associated with a configuration baseline. For field descriptions displayed in the list, see

Configuration compliance .

CAUTION: When you delete a compliance baseline, or delete device(s) from a compliance baseline:

● The compliance data of the baseline and/or device(s) is deleted from the OpenManage Enterprise data.

● If a device is removed, its configuration inventory is no longer retrieved, and the already retrieved information is also deleted, unless the inventory is associated with an Inventory job.

A compliance template used as a compliance baseline cannot be deleted if associated with a device. Appropriate messages are displayed in such cases. Read through the error and event message displayed and act accordingly. For more information about error and event messages, see the Error and Event Message Reference Guide available on the support site.

Steps

1. Click Configuration > Configuration Compliance .

Configuration compliance 167

2. From the list of configuration compliance baselines, select the corresponding check box, and then click Delete .

3. When prompted whether or not you want to delete, click YES .

The compliance baseline is deleted and the Overall Compliance Summary table of baselines is updated.

Related tasks

Create a configuration compliance baseline

Select a query criteria

Manage compliance templates

Edit a configuration compliance baseline

Related information

Configuration compliance

168 Configuration compliance

advertisement

Related manuals

Download PDF

advertisement

Table of contents