Compliance as code
This document provides insight on running compliance as code remediation using two methods with SUSE Manager:
-
Use an Ansible Playbook
-
Use a bash script
1. Run remediation using an Ansible playbook
An Ansible control node is required. For more information, see ansible-setup-control-node.adoc.
The following procedure will guide you through running remediation using an Ansible Playbook.
-
From the control node system menu select
. Expand the folder tab, then select a playbook. -
Click the playbook.
-
To run the playbook, select the OS Inventory Path for the client, for example:
/etc/ansible/sles15
-
Click Schedule.
-
Check the status of the scheduled event under the
Events
tab.
2. Run remediation using a Bash script
Install the scap-security-guide
package on all your target systems.
For more information, see ansible-setup-control-node.adoc.
Packages, channels and scripts are different for each operating system and distribution. Examples are listed in the Example remediation Bash scripts section.
2.1. Run the Bash script on single systems as a remote command
Run the Bash script as a remote command on single systems.
-
From
tab, select your instance. Then in , write a Bash script such as:#!/bin/bash chmod +x -R /usr/share/scap-security-guide/bash /usr/share/scap-security-guide/bash/sle15-script-standard.sh
-
Click Schedule.
Folder and script names change between distribution and version. Examples are listed in the Example remediation Bash scripts section. |
2.2. Run the bash script using System Set Manager on multiple systems
Run the Bash script as a remote command on multiple systems at once.
-
When a system group has been created click
System Groups
, selectUse in SSM
from the table. -
From the
System Set Manager
, under , write a Bash script such as:#!/bin/bash chmod +x -R /usr/share/scap-security-guide/bash /usr/share/scap-security-guide/bash/sle15-script-standard.sh
-
Click Schedule.
3. Example remediation Bash scripts
3.1. SUSE Linux Enterprise openSUSE and variants
Example SUSE Linux Enterprise and openSUSE script data.
Package |
scap-security-guide |
Channels |
SLE12: SLES12 Updates |
Bash script folder |
|
Bash scripts |
opensuse-script-standard.sh |
3.2. Red Hat Enterprise Linux and CentOS Bash script data
Example Red Hat Enterprise Linux and CentOS script data.
|
Package |
scap-security-guide-redhat |
Channel |
SUSE Manager Tools |
Bash script folder |
|
Bash scripts |
centos7-script-pci-dss.sh |
3.3. Ubuntu Bash script data
Example Ubuntu script data.
Package |
scap-security-guide-ubuntu |
Channel |
SUSE Manager Tools |
Bash Script Folder |
|
Bash Script |
ubuntu1604-script-anssi_np_nt28_average.sh |
3.4. Debian Bash script data
Example Debian script data.
Package |
scap-security-guide-debian |
Channel |
SUSE Manager Tools |
Bash Script Folder |
|
Bash Scripts |
debian10-script-anssi_np_nt28_average.sh |