Compliance as code

Table of Contents

1. Run remediation using an Ansible playbook
2. Run remediation using a Bash script
- 2.1. Run the Bash script on single systems as a remote command
- 2.2. Run the bash script using System Set Manager on multiple systems
3. Example remediation Bash scripts

This document provides insight on running compliance as code remediation using two methods with SUSE Manager:

Use an Ansible Playbook
Use a bash script

1. Run remediation using an Ansible playbook

An Ansible control node is required. For more information, see ansible-setup-control-node.adoc.

The following procedure will guide you through running remediation using an Ansible Playbook.

Procedure: Run remediation using an Ansible playbook

From the control node system menu select Ansible Playbooks. Expand the folder tab, then select a playbook.
Click the playbook.
To run the playbook, select the OS Inventory Path for the client, for example:
```
/etc/ansible/sles15
```
Click Schedule.
Check the status of the scheduled event under the Events tab.

2. Run remediation using a Bash script

Install the scap-security-guide package on all your target systems. For more information, see ansible-setup-control-node.adoc.

Packages, channels and scripts are different for each operating system and distribution. Examples are listed in the Example remediation Bash scripts section.

2.1. Run the Bash script on single systems as a remote command

Run the Bash script as a remote command on single systems.

From System Overview tab, select your instance. Then in Details Remote Commands, write a Bash script such as:

#!/bin/bash
chmod +x -R /usr/share/scap-security-guide/bash
/usr/share/scap-security-guide/bash/sle15-script-standard.sh

Click Schedule.

Folder and script names change between distribution and version. Examples are listed in the Example remediation Bash scripts section.

2.2. Run the bash script using System Set Manager on multiple systems

Run the Bash script as a remote command on multiple systems at once.

When a system group has been created click System Groups, select Use in SSM from the table.

From the System Set Manager, under Misc Remote Command, write a Bash script such as:

#!/bin/bash
chmod +x -R /usr/share/scap-security-guide/bash
/usr/share/scap-security-guide/bash/sle15-script-standard.sh

Click Schedule.

3. Example remediation Bash scripts

3.1. SUSE Linux Enterprise openSUSE and variants

Example SUSE Linux Enterprise and openSUSE script data.

Table 1. SUSE Linux Enterprise openSUSE
Package	scap-security-guide
Channels	SLE12: SLES12 Updates SLE15: SLES15 Module Basesystem Updates
Bash script folder	`/usr/share/scap-security-guide/bash/`
Bash scripts	opensuse-script-standard.sh sle12-script-standard.sh sle12-script-stig.sh sle15-script-cis.sh sle15-script-standard.sh sle15-script-stig.sh

3.2. Red Hat Enterprise Linux and CentOS Bash script data

Example Red Hat Enterprise Linux and CentOS script data.

scap-security-guide in centos7-updates only contains the Red Hat Enterprise Linux script.

Table 2. Red Hat Enterprise Linux CentOS and variants
Package	scap-security-guide-redhat
Channel	SUSE Manager Tools
Bash script folder	`/usr/share/scap-security-guide/bash/`
Bash scripts	centos7-script-pci-dss.sh centos7-script-standard.sh centos8-script-pci-dss.sh centos8-script-standard.sh fedora-script-ospp.sh fedora-script-pci-dss.sh fedora-script-standard.sh ol7-script-anssi_nt28_enhanced.sh ol7-script-anssi_nt28_high.sh ol7-script-anssi_nt28_intermediary.sh ol7-script-anssi_nt28_minimal.sh ol7-script-cjis.sh ol7-script-cui.sh ol7-script-e8.sh ol7-script-hipaa.sh ol7-script-ospp.sh ol7-script-pci-dss.sh ol7-script-sap.sh ol7-script-standard.sh ol7-script-stig.sh ol8-script-anssi_bp28_enhanced.sh ol8-script-anssi_bp28_high.sh ol8-script-anssi_bp28_intermediary.sh ol8-script-anssi_bp28_minimal.sh ol8-script-cjis.sh ol8-script-cui.sh ol8-script-e8.sh ol8-script-hipaa.sh ol8-script-ospp.sh ol8-script-pci-dss.sh ol8-script-standard.sh rhel7-script-anssi_nt28_enhanced.sh rhel7-script-anssi_nt28_high.sh rhel7-script-anssi_nt28_intermediary.sh rhel7-script-anssi_nt28_minimal.sh rhel7-script-C2S.sh rhel7-script-cis.sh rhel7-script-cjis.sh rhel7-script-cui.sh rhel7-script-e8.sh rhel7-script-hipaa.sh rhel7-script-ncp.sh rhel7-script-ospp.sh rhel7-script-pci-dss.sh rhel7-script-rhelh-stig.sh rhel7-script-rhelh-vpp.sh rhel7-script-rht-ccp.sh rhel7-script-standard.sh rhel7-script-stig_gui.sh rhel7-script-stig.sh rhel8-script-anssi_bp28_enhanced.sh rhel8-script-anssi_bp28_high.sh rhel8-script-anssi_bp28_intermediary.sh rhel8-script-anssi_bp28_minimal.sh rhel8-script-cis.sh rhel8-script-cjis.sh rhel8-script-cui.sh rhel8-script-e8.sh rhel8-script-hipaa.sh rhel8-script-ism_o.sh rhel8-script-ospp.sh rhel8-script-pci-dss.sh rhel8-script-rhelh-stig.sh rhel8-script-rhelh-vpp.sh rhel8-script-rht-ccp.sh rhel8-script-standard.sh rhel8-script-stig_gui.sh rhel8-script-stig.sh rhel9-script-pci-dss.sh rhosp10-script-cui.sh rhosp10-script-stig.sh rhosp13-script-stig.sh rhv4-script-pci-dss.sh rhv4-script-rhvh-stig.sh rhv4-script-rhvh-vpp.sh sl7-script-pci-dss.sh sl7-script-standard.sh

3.3. Ubuntu Bash script data

Example Ubuntu script data.

Table 3. Ubuntu
Package	scap-security-guide-ubuntu
Channel	SUSE Manager Tools
Bash Script Folder	`/usr/share/scap-security-guide/`
Bash Script	ubuntu1604-script-anssi_np_nt28_average.sh ubuntu1604-script-anssi_np_nt28_high.sh ubuntu1604-script-anssi_np_nt28_minimal.sh ubuntu1604-script-anssi_np_nt28_restrictive.sh ubuntu1604-script-standard.sh ubuntu1804-script-anssi_np_nt28_average.sh ubuntu1804-script-anssi_np_nt28_high.sh ubuntu1804-script-anssi_np_nt28_minimal.sh ubuntu1804-script-anssi_np_nt28_restrictive.sh ubuntu1804-script-cis.sh ubuntu1804-script-standard.sh ubuntu2004-script-standard.sh

3.4. Debian Bash script data

Example Debian script data.

Table 4. Debian
Package	scap-security-guide-debian
Channel	SUSE Manager Tools
Bash Script Folder	`/usr/share/scap-security-guide/`
Bash Scripts	debian9-script-anssi_np_nt28_average.sh debian9-script-anssi_np_nt28_high.sh debian9-script-anssi_np_nt28_minimal.sh debian9-script-anssi_np_nt28_restrictive.sh debian9-script-standard.sh debian10-script-anssi_np_nt28_average.sh debian10-script-anssi_np_nt28_high.sh debian10-script-anssi_np_nt28_minimal.sh debian10-script-anssi_np_nt28_restrictive.sh debian10-script-standard.sh