Go to main content

Oracle® Solaris 11.4 Compliance Guide

Exit Print View

Updated: August 2021
 
 

Running Multiple Remote Assessments

The compliance assess -r example-roster enables you to run assessments on all systems in the roster from your local system. The assessments run asynchronously, so you can continue to work on your system while the results come in. You create rosters with the compliance roster -r rostername command. For more information, see the compliance-roster(8) man page and the procedures in this section.

How to Create a Roster for Multiple Remote Assessments

In this procedure, you create a roster to run assessments on several remote systems at once. Rosters use the node parameter to identify systems.

Before You Begin

You must become an administrator who is assigned the Compliance Assessor rights profile on both systems. For more information, see Configuring Administrators to Run Remote Compliance Commands. See also Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Name the roster.
    $ pfexec compliance roster -r example-roster
    *** compliance roster: No existing roster: 'example-roster', initializing
    roster:example-roster>
  2. Add two systems to the roster.
    roster:example-roster> add node
    roster:example-roster/node> node node1
    roster:example-roster/node/node1> end
    roster:example-roster> add node
    roster:example-roster/node> node node3 ; end
    roster:example-roster> info; expand
    info:  roster:example-roster, 2 node(s)
      node:node1
      node:node3
  3. Commit your changes.
    roster:example-roster> commit; list
    example-roster
    roster:example-roster> exit
  4. (Optional)Specify more details for the nodes.
    $ pfexec compliance roster -r example-roster
    roster:example-roster> select node=node1
    roster:example-roster/node:node1>  help structure
     The roster hierarchy consists of these object types
     and their associated properties:
        roster: (policy, match)
            node: (policy, match)
            group: (policy, match)
                node: (policy, match)

    At the node level, you can specify a policy different from the default policy. You can also tag the assessment with a keyword-value pair, and then later match assessments based on the tag.

  5. (Optional)View the contents of the roster.

    The expand subcommand in Step 2 displays the contents of the roster.

    You can also export the roster to view it in an editor.

    $ pfexec compliance roster -r example-roster
    roster:example-roster> export -o example-roster.txt
  6. (Optional)Modify the contents of the roster.

    You must be in the correct scope of the roster to change an item.

    For example, to change a node name that you mistyped, go to the node and change the node name.

    $ pfexec compliance roster -r example-roster
    roster:example-roster> select node node=node3
    roster:example-roster/node:node3> node node2; end
    roster:example-roster> commit; expand
      node:node1
      node:node2
Example 19  Setting Compliance Policy in a Roster

In this example, the administrator sets a policy on the node that is different from the default policy on the system.

$ pfexec compliance roster -r example-roster
roster:example-roster> select node=mysparc
roster:example-roster/node:mysparc> help policy
Syntax: policy [-b benchmark] [-p profile] [-t tailoring]
 sets the policy within the current scope
 The -p option can't be used with the -t option.
 Use no options to specify that this scope will inherit from an upper scope.
roster:example-roster> select node=mysparc
roster:example-roster/node:mysparc> policy -b solaris -p Recommended
roster:example-roster/node:mysparc>  end
roster:example-roster> commit
roster:example-roster> info ; expand
info:  roster:example-roster, 2 node(s)
  node:myx86
  node:mysparc       profile=Recommended benchmark=solaris

At the roster level, the policy subcommand would set the policy for all nodes in the roster that did not have an explicit policy setting at the node level. When you run the assessments using the roster, the default compliance policy that is set on the systems that are being assessed is not used.

Example 20  Canceling an Error in a Roster

In this example, the administrator notes the error as it is made and cancels it.

roster:example-roster/node:mysparc> policy -b solaris -p Baseline
roster:example-roster/node:mysparc> cancel
Canceling node modifications
roster:example-roster/node:mysparc> policy -b solaris -p Recommended
roster:example-roster/node:mysparc> info
info:  node:mysparc policy(-b solaris -p Recommended)
Example 21  Renaming a Group, Node, or Roster

In this example, the administrator renames existing rosters, groups, and nodes in the interactive editor and commits the changes.

roster:example-roster> select node=mysparc
roster:example-roster/node:mysparc> node mysparc1   << renamed node
roster:example-roster/node:mysparc1> end
roster:example-roster> roster myexample1            << renamed roster
roster:myexample1> select group=labsystems
roster:myexample1/group:labsystems> group labs      << renamed group
roster:myexample1/group:labs> end
roster:myexample1> commit
Example 22  Importing a Corrected Roster

In this example, the administrator found an error in a group name. Rather than recreate the group in the interactive editor, the administrator exported the roster, fixed the spelling, gave the roster a new name, imported the new version, and deleted the roster.

$ pfexec compliance roster -r trial1
roster:mysparc> export -o trial1.txt; exit
$ cp trial1.txt trial2.txt
pfedit trial2.txt
roster trial1
policy -b solaris -p Recommended
add group=sarc
  add node=mysparc1
    end
  add node=mysparc2
    end
  end

roster mysparcs
policy -b solaris -p Recommended
add group=sparc
  add node=mysparc1
    end
  add node=mysparc2
    end
  end
:wq
$ pfexec compliance roster -f trial2.txt
roster:mysparcs>  info ; expand
info:  roster:mysparcs policy(-b solaris -p Recommended), 1 group(s)
  node:mysparc1  profile=Recommended benchmark=solaris
  node:mysparc2  profile=Recommended benchmark=solaris
roster:mysparcs>  commit
roster:mysparcs>  list
        mysparcs
        trial1
roster:mysparcs> roster trial1
roster:trial1> delete
OK to delete roster 'trial1' (y/N)? y
$

How to Run Asynchronous Remote Assessments

In this procedure, you use a roster to run assessments on several remote nodes at once.

Before You Begin

You must become an administrator who is assigned the Compliance Assessor rights profile on both systems. For more information, see Configuring Administrators to Run Remote Compliance Commands. See also Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Use a roster to run assessments of the hosts in the roster.

    If no policy was set in the roster, group, or node scope of the roster, the assessments will use the compliance policy that is set on the individual hosts.

    $ pfexec compliance assess -r example-roster
    Assessment will be named 'example-roster.YYYY-MM-DD,HH:mm'
  2. (Optional)On the local system, view the progress of the assessments.
    $ compliance list -av 'example-roster.YYYY-MM-DD,HH:mm'
            example-roster.YYYY-MM-DD,HH:mm
                UUID: ab345678-1111-1111-1111-12345678abcd
                    Benchmark=benchmark
                    Profile=profile
                    Status=Running
                    Node=node1
                    ...

    You can also check the Status tag.

    $ compliance list -am Status=Running
            ab345678-1111-1111-1111-12345678abcd
                    Name=example-roster.YYYY-MM-DD,HH:mm

    You can also run these commands on the remote systems.

    For more information, see the compliance-roster(8) man page.