Compliance as code
This document provides insight on running compliance as code remediation using two methods with SUSE Manager:
-
Use an Ansible Playbook
-
Use a bash script
1. Run remediation using an Ansible playbook
An Ansible control node is required. For more information, see Setup an Ansible control node.
The following procedure will guide you through running remediation using an Ansible Playbook.
-
From the control node system menu select
. Expand the folder tab, then select a playbook. -
Click the playbook.
-
To run the playbook, select the OS Inventory Path for the client, for example:
/etc/ansible/sles15
-
Click Schedule.
-
Check the status of the scheduled event under the
Events
tab.
2. Run remediation using a Bash script
Install the scap-security-guide
package on all your target systems.
For more information, see Setup an Ansible control node.
Packages, channels and scripts are different for each operating system and distribution. Examples are listed in the Example remediation Bash scripts section.
2.1. Run the Bash script on single systems as a remote command
Run the Bash script as a remote command on single systems.
-
From
tab, select your instance. Then in , write a Bash script such as:#!/bin/bash chmod +x -R /usr/share/scap-security-guide/bash /usr/share/scap-security-guide/bash/sle15-script-standard.sh
-
Click Schedule.
Folder and script names change between distribution and version. Examples are listed in the Example remediation Bash scripts section. |
2.2. Run the bash script using System Set Manager on multiple systems
Run the Bash script as a remote command on multiple systems at once.
-
When a system group has been created click
System Groups
, selectUse in SSM
from the table. -
From the
System Set Manager
, under , write a Bash script such as:#!/bin/bash chmod +x -R /usr/share/scap-security-guide/bash /usr/share/scap-security-guide/bash/sle15-script-standard.sh
-
Click Schedule.
3. Example remediation Bash scripts
3.1. SUSE Linux Enterprise openSUSE and variants
Example SUSE Linux Enterprise and openSUSE script data.
Package |
scap-security-guide |
Channels |
SLE12: SLES12 Updates |
Bash script folder |
|
Bash scripts |
opensuse-script-standard.sh |
3.2. Red Hat Enterprise Linux and CentOS Bash script data
Example Red Hat Enterprise Linux and CentOS script data.
|
Package |
scap-security-guide-redhat |
Channel |
SUSE Manager Tools |
Bash script folder |
|
Bash scripts |
centos7-script-pci-dss.sh |
3.3. Ubuntu Bash script data
Example Ubuntu script data.
Package |
scap-security-guide-ubuntu |
Channel |
SUSE Manager Tools |
Bash Script Folder |
|
Bash Script |
ubuntu1604-script-anssi_np_nt28_average.sh |
3.4. Debian Bash script data
Example Debian script data.
Package |
scap-security-guide-debian |
Channel |
SUSE Manager Tools |
Bash Script Folder |
|
Bash Scripts |
debian10-script-anssi_np_nt28_average.sh |