Compliance as code

This document provides insight on running compliance as code remediation using two methods with SUSE Manager:

  • Use an Ansible Playbook

  • Use a bash script

1. Run remediation using an Ansible playbook

An Ansible control node is required. For more information, see Setup an Ansible control node.

The following procedure will guide you through running remediation using an Ansible Playbook.

Procedure: Run remediation using an Ansible playbook

  1. From the control node system menu select Ansible  Playbooks. Expand the folder tab, then select a playbook.

  2. Click the playbook.

  3. To run the playbook, select the OS Inventory Path for the client, for example:

    /etc/ansible/sles15

  4. Click Schedule.

  5. Check the status of the scheduled event under the Events tab.

2. Run remediation using a Bash script

Install the scap-security-guide package on all your target systems. For more information, see Setup an Ansible control node.

Packages, channels and scripts are different for each operating system and distribution. Examples are listed in the Example remediation Bash scripts section.

2.1. Run the Bash script on single systems as a remote command

Run the Bash script as a remote command on single systems.

  1. From System  Overview tab, select your instance. Then in Details  Remote Commands, write a Bash script such as:

    #!/bin/bash
chmod +x -R /usr/share/scap-security-guide/bash
/usr/share/scap-security-guide/bash/sle15-script-standard.sh

  2. Click Schedule.

Folder and script names change between distribution and version. Examples are listed in the Example remediation Bash scripts section.

2.2. Run the bash script using System Set Manager on multiple systems

Run the Bash script as a remote command on multiple systems at once.

  1. When a system group has been created click System Groups, select Use in SSM from the table.

  2. From the System Set Manager, under Misc  Remote Command, write a Bash script such as:

    #!/bin/bash
chmod +x -R /usr/share/scap-security-guide/bash
/usr/share/scap-security-guide/bash/sle15-script-standard.sh

  3. Click Schedule.

3. Example remediation Bash scripts

3.1. SUSE Linux Enterprise openSUSE and variants

Example SUSE Linux Enterprise and openSUSE script data.

Table 1. SUSE Linux Enterprise openSUSE

Package

scap-security-guide

Channels

SLE12: SLES12 Updates
SLE15: SLES15 Module Basesystem Updates

Bash script folder

/usr/share/scap-security-guide/bash/

Bash scripts

opensuse-script-standard.sh
sle12-script-standard.sh
sle12-script-stig.sh
sle15-script-cis.sh
sle15-script-standard.sh
sle15-script-stig.sh

3.2. Red Hat Enterprise Linux and CentOS Bash script data

Example Red Hat Enterprise Linux and CentOS script data.

scap-security-guide in centos7-updates only contains the Red Hat Enterprise Linux script.
Table 2. Red Hat Enterprise Linux CentOS and variants

Package

scap-security-guide-redhat

Channel

SUSE Manager Tools

Bash script folder

/usr/share/scap-security-guide/bash/

Bash scripts

centos7-script-pci-dss.sh
centos7-script-standard.sh
centos8-script-pci-dss.sh
centos8-script-standard.sh
fedora-script-ospp.sh
fedora-script-pci-dss.sh
fedora-script-standard.sh
ol7-script-anssi_nt28_enhanced.sh
ol7-script-anssi_nt28_high.sh
ol7-script-anssi_nt28_intermediary.sh
ol7-script-anssi_nt28_minimal.sh
ol7-script-cjis.sh
ol7-script-cui.sh
ol7-script-e8.sh
ol7-script-hipaa.sh
ol7-script-ospp.sh
ol7-script-pci-dss.sh
ol7-script-sap.sh
ol7-script-standard.sh
ol7-script-stig.sh
ol8-script-anssi_bp28_enhanced.sh
ol8-script-anssi_bp28_high.sh
ol8-script-anssi_bp28_intermediary.sh
ol8-script-anssi_bp28_minimal.sh
ol8-script-cjis.sh
ol8-script-cui.sh
ol8-script-e8.sh
ol8-script-hipaa.sh
ol8-script-ospp.sh
ol8-script-pci-dss.sh
ol8-script-standard.sh
rhel7-script-anssi_nt28_enhanced.sh
rhel7-script-anssi_nt28_high.sh
rhel7-script-anssi_nt28_intermediary.sh
rhel7-script-anssi_nt28_minimal.sh
rhel7-script-C2S.sh
rhel7-script-cis.sh
rhel7-script-cjis.sh
rhel7-script-cui.sh
rhel7-script-e8.sh
rhel7-script-hipaa.sh
rhel7-script-ncp.sh
rhel7-script-ospp.sh
rhel7-script-pci-dss.sh
rhel7-script-rhelh-stig.sh
rhel7-script-rhelh-vpp.sh
rhel7-script-rht-ccp.sh
rhel7-script-standard.sh
rhel7-script-stig_gui.sh
rhel7-script-stig.sh
rhel8-script-anssi_bp28_enhanced.sh
rhel8-script-anssi_bp28_high.sh
rhel8-script-anssi_bp28_intermediary.sh
rhel8-script-anssi_bp28_minimal.sh
rhel8-script-cis.sh
rhel8-script-cjis.sh
rhel8-script-cui.sh
rhel8-script-e8.sh
rhel8-script-hipaa.sh
rhel8-script-ism_o.sh
rhel8-script-ospp.sh
rhel8-script-pci-dss.sh
rhel8-script-rhelh-stig.sh
rhel8-script-rhelh-vpp.sh
rhel8-script-rht-ccp.sh
rhel8-script-standard.sh
rhel8-script-stig_gui.sh
rhel8-script-stig.sh
rhel9-script-pci-dss.sh
rhosp10-script-cui.sh
rhosp10-script-stig.sh
rhosp13-script-stig.sh
rhv4-script-pci-dss.sh
rhv4-script-rhvh-stig.sh
rhv4-script-rhvh-vpp.sh
sl7-script-pci-dss.sh
sl7-script-standard.sh

3.3. Ubuntu Bash script data

Example Ubuntu script data.

Table 3. Ubuntu

Package

scap-security-guide-ubuntu

Channel

SUSE Manager Tools

Bash Script Folder

/usr/share/scap-security-guide/

Bash Script

ubuntu1604-script-anssi_np_nt28_average.sh
ubuntu1604-script-anssi_np_nt28_high.sh
ubuntu1604-script-anssi_np_nt28_minimal.sh
ubuntu1604-script-anssi_np_nt28_restrictive.sh
ubuntu1604-script-standard.sh
ubuntu1804-script-anssi_np_nt28_average.sh
ubuntu1804-script-anssi_np_nt28_high.sh
ubuntu1804-script-anssi_np_nt28_minimal.sh
ubuntu1804-script-anssi_np_nt28_restrictive.sh
ubuntu1804-script-cis.sh
ubuntu1804-script-standard.sh
ubuntu2004-script-standard.sh

3.4. Debian Bash script data

Example Debian script data.

Table 4. Debian

Package

scap-security-guide-debian

Channel

SUSE Manager Tools

Bash Script Folder

/usr/share/scap-security-guide/bash

Bash Scripts

debian10-script-anssi_np_nt28_average.sh
debian10-script-anssi_np_nt28_high.sh
debian10-script-anssi_np_nt28_minimal.sh
debian10-script-anssi_np_nt28_restrictive.sh
debian10-script-standard.sh
debian11-script-anssi_np_nt28_average.sh
debian11-script-anssi_np_nt28_high.sh
debian11-script-anssi_np_nt28_minimal.sh
debian11-script-anssi_np_nt28_restrictive.sh
debian11-script-standard.sh