Using SCOM as a basic configuration audit system – Part 5 discoveries


Previous posts on the subject:


In my first post I defined the following baselines to be checked for compliance:

·         Windows Server 2008

·         Windows Server 2008 R2 RTM

·         Windows Server 2008 R2 with Service Pack 1

While the first two are already discovered by standard management packs, the latter is missing, so we’re going to define a new class and discover it. There are plenty of choices here, but I chose to follow the pattern established by the Windows Server 2008 Management Pack in which the R2 operating system is derived from the Windows 2008 operating system. This will be the new hierarchy:

This choice deserves some explanation since it’s going to have some side effects. What we have is that Windows 2008 R2 is a Windows 2008 and that Windows 2008 R2 SP1 is a Windows 2008 R2, this implies that all the rules targeted to Windows 2008 also apply to R2 and R2 SP1, and that all the rules targeted at R2 also apply to R2 SP1. Since our monitor will be generically targeted to the Server Operating System we will have an effect that I call slow convergence, what will happen on a newly discovered Windows 2008 R2 SP1 system is:

·         First it will be discovered as a Windows 2008 R2 system and the compliance rule for such an OS will be applied resulting in a non-compliance. The Windows 2008 management pack has one discovery rule that returns the proper Operating System Version (2008 or 2008 R2)

·         Then it will be discovered as a Windows 2008 R2 Service Pack 1 system and the rules for R2 SP1 will be applied, resulting in the correct compliance assessment

I think this slow convergence is acceptable, if not the Windows Server 2008 R2 SP1 class should have been derived from the Windows.Server.OperatingSystem class and the whole discovery retargeted to discover the OS. It’s really up to you, the mod should be easy enough if you followed what we have built so far.

So in the TypeDefinitions, EntityTypes section we need to add at the top the following snippet

      <ClassTypes>

      <ClassType ID="Microsoft.Windows.Server.2008.R2.SP1.OperatingSystem" Abstract="false" Accessibility="Public" Base="Win2008!Microsoft.Windows.Server.2008.R2.OperatingSystem" Hosted="true" Singleton="false">

      </ClassType>

      </ClassTypes>

And don’t forget the corresponding display string in the language pack section

        <DisplayString ElementID="Microsoft.Windows.Server.2008.R2.SP1.OperatingSystem">

          <Name>Windows Server 2008 R2 Operating System with SP1</Name>

        </DisplayString>

 

With this latest entry our types definition is complete, we can now focus on the monitoring section starting obviously with the discoveries needed for the new operating system baseline and for the loose reference between the HealthService and the operating system. For the relationship discovery we’re going to use the previously defined data source, the target is the source of the relationship i.e. the HealthService class, the source and target settings of the relationship are the key properties of both classes (HealthService and OperatingSystem), incidentally they’re the same the WindowsComputer class PrincipalName property.

      <Discovery ID="QND.Compliance.HSRefOSDiscovery" Enabled="true" Target="SC!Microsoft.SystemCenter.HealthService" ConfirmDelivery="true" Remotable="true" Priority="Normal">

        <Category>Discovery</Category>

        <DiscoveryTypes>

          <DiscoveryRelationship TypeID="QND.Compliance.HealthServiceReferenceOperatingSystem" />

        </DiscoveryTypes>

        <DataSource ID="DS" TypeID="QND.Compliance.HSRefOS.DT">

          <Frequency>86400</Frequency>

          <SyncTime></SyncTime>

          <RelationshipId>$MPElement[Name="QND.Compliance.HealthServiceReferenceOperatingSystem"]$</RelationshipId>

          <SourceRoleSettings>

            <Settings>

              <Setting>

                <Name>$MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Name>

                <Value>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>

              </Setting>

            </Settings>

          </SourceRoleSettings>

          <TargetRoleSettings>

            <Settings>

              <Setting>

                <Name>$MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Name>

                <Value>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>

              </Setting>

            </Settings>

          </TargetRoleSettings>

        </DataSource>

      </Discovery>

 

For the Windows 2008 R2 SP1 discovery we’re going to use a simple registry discovery and matching the operating system build with 7601. I guess you can find many sample of this kind of discovery on the web so I won’t speculate further. One last thing, just notice the discovery is disabled by default, we’re going to enable it via an override I just don’t dare assume everyone wants such a baseline.

 

      <Discovery ID="QND.Compliance.Win2008R2SP1.Discovery" Enabled="false" Target="Win2008!Microsoft.Windows.Server.2008.R2.OperatingSystem" ConfirmDelivery="true" Remotable="true" Priority="Normal">

        <Category>Discovery</Category>

        <DiscoveryTypes>

          <DiscoveryClass TypeID="Microsoft.Windows.Server.2008.R2.SP1.OperatingSystem" />

        </DiscoveryTypes>

        <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.FilteredRegistryDiscoveryProvider">

          <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

          <RegistryAttributeDefinitions>

            <RegistryAttributeDefinition>

              <AttributeName>WindowsCurrentVersion</AttributeName>

              <Path>SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion</Path>

              <PathType>1</PathType>

              <AttributeType>1</AttributeType>

            </RegistryAttributeDefinition>

            <RegistryAttributeDefinition>

              <AttributeName>WindowsCurrentBuild</AttributeName>

              <Path>SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild</Path>

              <PathType>1</PathType>

              <AttributeType>1</AttributeType>

            </RegistryAttributeDefinition>

          </RegistryAttributeDefinitions>

          <Frequency>14400</Frequency>

          <ClassId>$MPElement[Name="Microsoft.Windows.Server.2008.R2.SP1.OperatingSystem"]$</ClassId>

          <InstanceSettings>

            <Settings>

              <Setting>

              <Name>$MPElement[Name='Windows!Microsoft.Windows.Computer']/PrincipalName$</Name>

              <Value>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>

              </Setting>

            </Settings>

           

          </InstanceSettings>

          <Expression>

            <And>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Values/WindowsCurrentVersion</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="String">6.1</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="String">Values/WindowsCurrentBuild</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="String">7601</Value>

                </ValueExpression>

              </SimpleExpression>

              </Expression>

            </And>

          </Expression>

        </DataSource>

      </Discovery>

    </Discoveries>

 

The discovery section is completed, just add the corresponding display string to our language pack:

        <DisplayString ElementID="QND.Compliance.HSRefOSDiscovery">

          <Name>QND HealthService Reference OS Discovery</Name>

          <Description>Sets a reference to the OS for the HealthService needed for projecting the fix compliance to the agent state</Description>

        </DisplayString>

        <DisplayString ElementID="QND.Compliance.Win2008R2SP1.Discovery">

          <Name>QND Windows 2008 Server R2 with SP1 discovery</Name>

        </DisplayString>

 

The next post will be the last for the monitoring part, I’m going to show the monitoring section with the overrides needed to make the compliance check work across different baselines. Then we’ll start to tackle the reporting portion of our basic configuration auditing project.

– Daniele

This posting is provided "AS IS" with no warranties, and confers no rights.

About these ads
  1. Using SCOM as a basic configuration audit system – Part 6 monitoring « Quae Nocent Docent

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 277 other followers

%d bloggers like this: