Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

compliance-roster(8)

Name

compliance-roster - administer compliance roster

Synopsis

compliance roster [–r rostername]
compliance roster [–r rostername] subcommand
compliance roster [–r rostername] -f command_file
compliance roster help

Description

A roster specifies a set of systems to be assessed and how each is to be assessed. The compliance roster utility creates, modifies, and lists rosters. The creation and modification functions are only available to users with the solaris.compliance.assess authorization. Users assigned the Compliance Assessor rights profile have the rights to create and modify rosters. Otherwise it runs in read-only mode.

A roster contains a hierarchy of constituents. There are properties at each level of the hierarchy, including the roster level. The properties set on a member specify the default values for that member or for any lower levels, but may be overridden by explicit property settings at lower levels.

To simplify the user interface, compliance roster uses the concept of a scope. The default, outermost, scope is roster.

The following synopsis of the compliance roster command is for interactive usage:

compliance roster –r rostername subcommand

Parameters changed through compliance roster do not affect a running assessment.

Constituents

A roster at the top level is a list of constituents, together with the default assessment properties to be applied to each.

The following constituent types are supported:

node

Specification of a single node to be assessed.

group

An explicit list of constituents, together with default assessment properties to be applied to each. A group constituent cannot include a group.

Properties

Each constituent has one or more properties. There are also some global properties, that is, properties of the roster as a whole, rather than of some particular constituent.

The following properties are supported within the indicated scopes:

group

group scope only.

The group value is a user-selected name for this group.

match

group, node, and roster scopes

The match value is match data to be applied in the assessment of node constituents. Each constituent inherits the match property from higher levels unless explicitly overridden. If there is no match property set on or inherited by a node, the default match data set on that node will be used.

node

node scope only

The node value identifies a specific node; the value is interpreted as a RAD URI. The value can be expressed as a nodename (for example, the output of hostname), an IP address, or a fully-qualified domain name, in which case it will be coerced to the RAD URI form. The scheme defaults to ’ssh’, ’user’ defaults to the current user, and ’port’ defaults to the standard RAD port. Note that the RAD URI specified must not require interactive authentication (for example, a password prompt). For more information on RAD URIs, see the rad(8) man page.

policy

group, node, and roster scopes

The policy value is composed of benchmark, profile, and tailoring subvalues to determine the assessment policy parameters for node constituents. Each constituent inherits the policy property from higher levels unless explicitly overridden. When overridden, the overriding policy replaces all of the benchmark, profile, and tailoring subvalues. The value of the policy property in interpreted in the context of the assessing node when an assessment is run. If there is no policy property set on or inherited by a node, the default policy set on that node will be used.

roster

roster scope only

The roster property is the name of the roster.

Properties with a property-name which matches the constituent are called scope properties. The scope property must be set for the scope to be verifiable.

Options

The following options are supported:

–f command_file

Specify the name of a roster command file. The command_file is a text file of roster subcommands, one per line. If the script does not cause the command invocation to terminate due to a delete or exit subcommand, the command will default to interactive operation at the end of the script.

–r roster

Specify the name of a roster. Roster names are case sensitive. Roster names can contain alphanumeric characters, the underscore (_), the hyphen (-), and the dot (.).

Sub Commands

You can use the add and select subcommands to select a specific constituent, at which point the scope changes to that constituent. The end and cancel subcommands are used to complete the constituent specification, at which time the active scope is returned back to the containing scope. Certain subcommands, such as add, remove and set, have different semantics in each scope.

compliance roster supports a semicolon-separated list of subcommands. For example:

# compliance roster -r myroster "add node; set node=mynode; end"

Subcommands which can result in destructive actions or loss of work have an –F option to force the action. If input is from a terminal device, the user is prompted, when appropriate, if such a command is given without the –F option. Otherwise, if such a command is given without the –F option, the action is disallowed with a diagnostic message written to standard error.

The following operands are supported:

add node[=node-value]
add group[=group-value]

Begins the specification for a given constituent. If a value is specified, the constituent property is set to that value. The scope is changed to that constituent.

cancel

Ends the constituent specification and reset scope to the containing scope. Abandons any partially specified constituents. cancel subcommand is only applicable in a constituent scope.

commit

Commits the current roster from memory to stable storage. The roster must be committed to be used by compliance assess. Until the in-memory roster is committed, you can remove changes with the revert subcommand. The commit operation is attempted automatically upon completion of a compliance roster session. Since a roster must be correct to be committed, this operation automatically does a verify.

delete [–F]

Deletes the specified roster from memory and stable storage. This action is instantaneous, no commit is necessary. A deleted roster cannot be reverted.

Specify the –F option to force the action.

expand

Shows the effective list of nodes and associated assessment parameters.

end

Ends the constituent specification. This subcommand is only applicable in the constituent scope. compliance roster performs an implicit verify operation to endure the current constituent is valid. If so, it is added to the in-memory roster (see commit for saving this to stable storage) and the scope reverts to the containing scope. If the verification fails, it issues an appropriate error message.

export [–o output-file]

Prints the current scope and its members to standard output. Use the –o option to direct the output to the output-file. This option produces output in a form suitable for use in a command file.

group name (group scope only)

Sets or changes the name of the group.

help [subcommand]

Prints general help or help about a given topic.

info name
info [constituent-type [property-name=property-value]*]

Displays information about the current scope. If constituent-type is specified, it displays information only about constituents of the relevant type within the current scope. If any property-name value pairs are specified, it displays information only about constituents meeting the given criteria. In the constituent scope, info displays information about the constituent which is currently being added or modified.

list

Lists the names of rosters in stable storage.

load [–F] rostername

Loads the specified roster into memory from stable storage. If there is an uncommitted roster in memory, confirmation is sought before it is discarded.

Specify the –F option to force the action.

match [matches]

Sets the match property for this constituent. The matches value is a comma-separated list of keys or key=value pairs. If no matches parameter is specified, this constituent will inherit its match property from higher level scopes.

node node-URI (node scope only)

Sets or changes the node property (node-URI) of the node constituent.

policy [–b benchmark] [–p profile] [–t tailoring]

Sets the policy property for this constituent. If none of the options are specified, this constituent will inherit its policy from higher level scopes.

remove [–F] [constituent-type] [property-name=property-value]

Removes the constituents with matching constituent types or property values contained immediately with the current scope. The [] syntax means 0 or more of whatever is inside the square braces. If you want only to remove a single instance of the constituent, you must specify enough property name=value pairs for the constituent to be uniquely identified. If no property name-value pairs are specified, all instances will be removed. If there is more than one constituent is matched, a confirmation is required, unless you use the –F option.

roster name (roster scope only)

Sets or changes the name of the roster.

select [constituent-type] [property-name=property-value]

Selects the constituent within the current scope of the given type which matches the given constituent type or the given property-name property-value pair criteria, for modification. The scope is changed to the selected constituent. The [] syntax means 0 or more of whatever is inside the square braces. You must specify enough property-name property-value pairs for the constituent to be uniquely identified.

verify [–v]

Verifies the current scope for correctness. The member scope property must be set in this scope, and if there is a parent scope, the value must be unique in that scope.

revert [–F]

Reverts the current scope back to the last state when the scope was selected. For the roster scope, this would be the state when last committed. The –F option can be used to force the action.

exit [-F]

Exit the compliance roster session. A verify and commit is automatically attempted if needed. The –F option can be used to bypass any commit. You can also use an EOF character to exit compliance roster.

Exit Status

The following exit values are returned:

0

Successful completion

1

An error occurred.

2

Invalid usage.

Examples

Example 1 Creating a New Roster

In the following example, compliance roster creates a new roster. The new roster, myroster, contains two nodes, 10.20.30.40 and mynode1, to be assessed against the Solaris Baseline and Solaris Recommended profiles, respectively.

example# compliance roster -r myroster
compliance: No existing roster: ’myroster’, initializing
roster:myroster> add node
roster:myroster/node> node 10.20.30.40
roster:myroster/node:10.20.30.40> policy -b solaris -p Baseline
roster:myroster/node:10.20.30.40> end
roster:myroster> add node
roster:myroster/node> node mynode1
roster:myroster/node:mynode> policy -b solaris -p Recommended
roster:myroster/node:mynode> end
roster:myroster> exit
Example 2 Deriving a New Roster from an Existing Roster

In the following example, compliance roster creates a new roster. The new roster, myroster2, is derived from the existing roster myroster. The benchmark for mynode1 is set to pci-dss, and a node test_lab is added to run with the default assessment parameters.

example# compliance roster -r myroster
roster:myroster> roster myroster2
roster:myroster2> select node=mynode1
roster:myroster2/node:mynode1> policy -b pci-dss
roster:myroster2/node:mynode1> end
roster:myroster2> add node
roster:myroster2/node> node test_lab
roster:myroster2/node:test_lab> end
roster:myroster2> exit
Example 3 Changing the Name of a Roster

The following example shows how to change the name of an existing roster:

example# compliance roster -r myroster
roster:myroster> roster myroster2
roster:myroster2> commit
roster:myroster2> roster myroster
roster:myroster> delete
Example 4 Creating a New Roster with Functional Grouping

In the following example, compliance roster creates a new roster. The new roster, functional, contains two groups, database and webserver, to be assessed against the pci-dss and solaris profiles, respectively.

example# compliance roster -r functional
functional: No such roster exists
roster:functional> policy -b solaris -p Recommended
roster:functional> add group
roster:functional/group> group database
roster:functional/group:database> policy -b pci-dss
roster:functional/group:database> add node=employees.hr.example.com; end
roster:functional/group:database> add node=records.sales.example.com; end
roster:functional/group:database> match database
roster:functional/group> end
roster:functional> add group
roster:functional/group> group webserver
roster:functional/group:webserver> add node=info.hr.example.com; end
roster:functional/group:webserver> add node=manuals.mkt.example.com; end
roster:functional/group:webserver> match webserver
roster:functional/group:webserver> end
roster:functional> expand
 node=employees.hr.example.com -b pci-dss -m database
 node=records.sales.example.com -b pci-dss -m database
 node=info.hr.example.com -b solaris -p Recommended -m webserver
 node=manuals.mkt.example.com -b solaris -p Recommended -m webserver
roster:functional> exit

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
security/compliance
Interface Stability
Committed

See Also

compliance(8), compliance-tailor(8), hostname(1)

Notes

All character data used by compliance roster must be in US-ASCII encoding.

History

The compliance roster utility was added in Oracle Solaris 11.4.0.