- 15 Apr 2024
-
DarkLight
-
PDF
Compliance Plans
- Updated on 15 Apr 2024
-
DarkLight
-
PDF
While compliance checking and reporting is native to Golden Configurations, the built-in functionality may not be sufficient for more complex requirements. For example, when running compliance checks in this way, you are only able to evaluate a single Golden Configuration node, or an entire Golden Configuration tree, at one time. In addition, such compliance checks are executed in serial, which can lead to performance issues on nodes with many endpoints.
Compliance Plans extend the compliance checking and reporting capabilities inherent to Golden Configurations. In this guide, you will learn:
- How compliance plans work.
- How to create a compliance plan.
- How to run compliance plans.
- How to view the reports generated by compliance plans.
Compliance plans operate in tandem with Golden Configuration nodes. Familiarity with Golden Configuration concepts is recommended before proceeding.
How Compliance Plans Work
A compliance plan, in its simplest form, is a collection of Golden Configuration nodes that can be checked for compliance simultaneously. While these nodes may come from the same Golden Configuration, this is not a requirement; nodes from multiple Golden Configurations, even if they are of disparate operating system (OS) types, can be added to the same compliance plan.
Upon import, a copy of the node that is unique to the compliance plan is created. It retains the same baseline configuration, though variable definitions may be edited during the import process. This does not extend to any endpoints (devices/task instances) that were previously assigned to the node; these will need re-associated.
After all desired nodes have been added to the compliance plan, it can be run, manually or automatically. This is known as a compliance run. Compliance runs function similarly to the compliance checks executed by Golden Configurations. However, compliance runs can be configured to use parallel execution, as opposed to the serial execution used by Golden Configurations. Parallel execution greatly reduces the amount of time needed to complete the run.
The compliance plan maintains a history of its runs, from which you can view an aggregation of the reports it has generated.
Creating Compliance Plans
Compliance plans are created from the Configuration Manager homepage:
- Click the Create (+) button located at the top of the side navigation menu. The Create modal will open.
- Select Compliance Plan from the What would you like to create? drop-down. The modal will auto-populate.
- Type a name for the compliance plan into the Name field.
- Optionally, type a description of the compliance plan into the Description field.
- Click the Create button at the bottom of the modal. Your new compliance plan will open.
Opening Existing Compliance Plans
To open an existing compliance plan, expand the Compliance Plans header located on the side navigation menu, then select the plan you would like to open from the list that appears. If needed, you can search for a specific plan via the Search bar located at the top of the list.
Figure 1: Configuration Manager Homepage
Browsing Compliance Plans
You can also browse compliance plans using the card-based Collection modal:
- Click the Search (🔍) button located at the top of the side navigation menu. The Collection modal will open.
- Click the Compliance Plans tab.
Figure 2: Collection Modal
Label | UI Element | Description |
---|---|---|
1 | Toolbar | An assortment of buttons used to perform collection management actions. From left to right, they are: Refresh, Select All, and Delete. |
2 | Search Bar | Searches the collection by compliance plan name. |
3 | Sort By | Determines what order the compliance plans are displayed in. |
4 | Selection Box | Selects the compliance plan for bulk actions, such as deletion. |
5 | Menu | Allows you to Edit or Delete the compliance plan. |
Compliance Plan UI
After creating or opening a compliance plan, you will be presented with the following user interface (Figure 3).
Figure 3: Compliance Plan UI
Label | UI Element | Description |
---|---|---|
1 | Run Menu | Presents options for running the compliance plan. |
2 | Metadata Menu | Allows you to view and edit the compliance plan's metadata or delete the compliance plan. |
3 | Tabs | Organizes application functionality into discrete pages. - The Configuration Nodes tab houses all functionality related to node management. - The Reports tab allows you to view reports generated by the compliance plan. |
Configuration Nodes Tab
Compliance plans, as a collection of Golden Configuration nodes and optional runtime data, are constructed and managed via the Configuration Nodes tab. Here, you can:
- Add configuration nodes to the compliance plan.
- Run the compliance plan.
Adding Nodes
Configuration nodes are added to compliance plans via the Add Compliance Run modal. The modal is designed to guide you sequentially in stages:
- Selecting which configuration node to add to the plan.
- Optionally, defining any runtime variables that should be used during plan execution.
- Selecting which endpoints the plan should be executed against.
Begin by adding any desired configuration nodes to the compliance plan:
- Click the + Node button. The Add Compliance Run modal will open.
- Select the Golden Configuration you would like to add a node from via the Golden Configuration drop-down. The Version drop-down will become available.
- Specify which version of the selected Golden Configuration should be used via the Version drop-down. All nodes present in the selected version will display.
- Click the node you would like to add. A preview of its baseline configuration will display. By default, this preview does not include lines inherited from parent nodes. To change this behavior, toggle the Show Inherited switch located at the top-right of the preview.
- To confirm, click the Next button located at the bottom-right of the modal.
Figure 4: Node Selection
Defining Optional Variables
The Add Compliance Run modal will advance to the optional variable definition stage (Figure 5). Any variables defined in the node's baseline configuration will display; use the text editor to add or remove variables, if desired. After defining the optional variables, click the Next button located at the bottom-right of the modal.
Any changes made to a node's variables via the Add Compliance Run modal will only take effect in the context of the current compliance plan. The node itself remains unchanged.
Figure 5: Variable Definition
Selecting Endpoints
Finally, the Add Compliance Run modal will advance to the endpoint selection stage (Figure 6).
- Select which endpoints you would like to compare to the node's configuration.
- Click the Save button located at the bottom-left of the modal if you are done. The selected node will be added to the compliance plan.
- If you have more nodes to add, click the Save & Add Another button to save the selected node and restart the process for a new node.
Figure 6: Endpoint Selection
Running Compliance Plans
Once you have added configuration nodes to the compliance plan, you can run it manually or by automation.
Manual
To run a compliance plan manually:
- Optionally, edit the maximum number of endpoints that the plan can simultaneously evaluate via the Limit number of concurrent devices field. Increasing this number may allow for faster compliance runs; however, Itential Automation Platform (IAP) will use more system resources as a result. This may lead to performance issues across both IAP and its host system.
- Hover over the Run Menu (►) button located at the top-right of the window. A drop-down menu will appear.
- Select Run manually from the menu.
Figure 7: Run Manually
While any number of endpoints can be checked concurrently, the performance benefits provided by parallel execution do not scale indefinitely. You will need to experiment to find the optimal setting for your environment.
Automated
To automate compliance plan execution:
- Hover over the Run Menu (►) button located at the top-right of the window. A drop-down menu will appear.
- Select Automate plan from the menu. Operations Manager will be opened, displaying a collection of available automations.
- Click the Create Automation button. The Create Automation dialog will open.
- Ensure the automation type is set as Compliance Report.
- Type a name for the automation and, optionally, a brief description.
- Click the Create button. Your new automation will open.
- Configure a Scheduled Trigger for the automation; see Triggers for more information.
- Click Save Changes to save the trigger and finalize the automation.
Compliance plans run via automation will check all of a node's endpoints.
Compliance Reports Tab
Every time the compliance plan is run, an entry will be added to the history table on its Compliance Reports tab. For each listed compliance run, you can:
- View all compliance reports associated with that run.
- Export all compliance reports associated with that run.
Viewing Compliance Reports
To view all compliance reports generated by a compliance run:
- Locate the compliance run's entry in the history table. Each entry is uniquely identified by its start time and initiating user.
- Click the menu (⋮) button located at the end of the relevant table row. A list of available actions will display.
- Select View from the menu. A table listing of all reports generated by the run will display.
- Click the eye icon () to view it.
Exporting Compliance Reports
Similarly, to export all reports generated by a run in JSON format, follow steps 1-2 as listed above. Then, select Export from the menu.
Figure 8: Compliance Report Listing