compliance-roster - administer compliance roster
compliance roster [-r rostername]
compliance roster [-r rostername] subcommand
compliance roster [-r rostername] -f command_file
compliance roster help
A roster specifies a set of systems to be assessed and how each is to be assessed. The compliance roster utility creates, modifies, and lists rosters. The creation and modification functions are only available to users with the solaris.compliance.assess authorization. Users assigned the Compliance Assessor rights profile have the rights to create and modify rosters. Otherwise it runs in read-only mode.
A roster contains a hierarchy of constituents. There are properties at each level of the hierarchy, including the roster level. The properties set on a member specify the default values for that member or for any lower levels, but may be overridden by explicit property settings at lower levels.
To simplify the user interface, compliance roster uses the concept of a scope. The default, outermost, scope is roster.
The following synopsis of the compliance roster command is for interactive usage:
compliance roster –r rostername subcommand
Parameters changed through compliance roster do not affect a running assessment.
A roster at the top level is a list of constituents, together with the default assessment properties to be applied to each.
The following constituent types are supported:
Specification of a single node to be assessed.
An explicit list of constituents, together with default assessment properties to be applied to each. A group constituent cannot include a group.
Each constituent has one or more properties. There are also some global properties, that is, properties of the roster as a whole, rather than of some particular constituent.
The following properties are supported within the indicated scopes:
group scope only.
The group value is a user-selected name for this group.
group, node, and roster scopes
The match value is match data to be applied in the assessment of node constituents. Each constituent inherits the match property from higher levels unless explicitly overridden. If there is no match property set on or inherited by a node, the default match data set on that node will be used.
node scope only
The node value identifies a specific node; the value is interpreted as a RAD URI. The value can be expressed as a nodename (for example, the output of hostname), an IP address, or a fully-qualified domain name, in which case it will be coerced to the RAD URI form. The scheme defaults to ’ssh’, ’user’ defaults to the current user, and ’port’ defaults to the standard RAD port. Note that the RAD URI specified must not require interactive authentication (for example, a password prompt). For more information on RAD URIs, see the rad(8) man page.
group, node, and roster scopes
The policy value is composed of benchmark, profile, and tailoring subvalues to determine the assessment policy parameters for node constituents. Each constituent inherits the policy property from higher levels unless explicitly overridden. When overridden, the overriding policy replaces all of the benchmark, profile, and tailoring subvalues. The value of the policy property in interpreted in the context of the assessing node when an assessment is run. If there is no policy property set on or inherited by a node, the default policy set on that node will be used.
roster scope only
The roster property is the name of the roster.
Properties with a property-name which matches the constituent are called scope properties. The scope property must be set for the scope to be verifiable.
The following options are supported:
Specify the name of a roster command file. The command_file is a text file of roster subcommands, one per line. If the script does not cause the command invocation to terminate due to a delete or exit subcommand, the command will default to interactive operation at the end of the script.
Specify the name of a roster. Roster names are case sensitive. Roster names can contain alphanumeric characters, the underscore (_), the hyphen (-), and the dot (.).
You can use the add and select subcommands to select a specific constituent, at which point the scope changes to that constituent. The end and cancel subcommands are used to complete the constituent specification, at which time the active scope is returned back to the containing scope. Certain subcommands, such as add, remove and set, have different semantics in each scope.
compliance roster supports a semicolon-separated list of subcommands. For example:
# compliance roster -r myroster "add node; set node=mynode; end"
Subcommands which can result in destructive actions or loss of work have an –F option to force the action. If input is from a terminal device, the user is prompted, when appropriate, if such a command is given without the –F option. Otherwise, if such a command is given without the –F option, the action is disallowed with a diagnostic message written to standard error.
The following operands are supported:
Begins the specification for a given constituent. If a value is specified, the constituent property is set to that value. The scope is changed to that constituent.
Ends the constituent specification and reset scope to the containing scope. Abandons any partially specified constituents. cancel subcommand is only applicable in a constituent scope.
Commits the current roster from memory to stable storage. The roster must be committed to be used by compliance assess. Until the in-memory roster is committed, you can remove changes with the revert subcommand. The commit operation is attempted automatically upon completion of a compliance roster session. Since a roster must be correct to be committed, this operation automatically does a verify.
Deletes the specified roster from memory and stable storage. This action is instantaneous, no commit is necessary. A deleted roster cannot be reverted.
Specify the –F option to force the action.
Shows the effective list of nodes and associated assessment parameters.
Ends the constituent specification. This subcommand is only applicable in the constituent scope. compliance roster performs an implicit verify operation to endure the current constituent is valid. If so, it is added to the in-memory roster (see commit for saving this to stable storage) and the scope reverts to the containing scope. If the verification fails, it issues an appropriate error message.
Prints the current scope and its members to standard output. Use the –o option to direct the output to the output-file. This option produces output in a form suitable for use in a command file.
Sets or changes the name of the group.
Prints general help or help about a given topic.
Displays information about the current scope. If constituent-type is specified, it displays information only about constituents of the relevant type within the current scope. If any property-name value pairs are specified, it displays information only about constituents meeting the given criteria. In the constituent scope, info displays information about the constituent which is currently being added or modified.
Lists the names of rosters in stable storage.
Loads the specified roster into memory from stable storage. If there is an uncommitted roster in memory, confirmation is sought before it is discarded.
Specify the –F option to force the action.
Sets the match property for this constituent. The matches value is a comma-separated list of keys or key=value pairs. If no matches parameter is specified, this constituent will inherit its match property from higher level scopes.
Sets or changes the node property (node-URI) of the node constituent.
Sets the policy property for this constituent. If none of the options are specified, this constituent will inherit its policy from higher level scopes.
Removes the constituents with matching constituent types or property values contained immediately with the current scope. The  syntax means 0 or more of whatever is inside the square braces. If you want only to remove a single instance of the constituent, you must specify enough property name=value pairs for the constituent to be uniquely identified. If no property name-value pairs are specified, all instances will be removed. If there is more than one constituent is matched, a confirmation is required, unless you use the –F option.
Sets or changes the name of the roster.
Selects the constituent within the current scope of the given type which matches the given constituent type or the given property-name property-value pair criteria, for modification. The scope is changed to the selected constituent. The  syntax means 0 or more of whatever is inside the square braces. You must specify enough property-name property-value pairs for the constituent to be uniquely identified.
Verifies the current scope for correctness. The member scope property must be set in this scope, and if there is a parent scope, the value must be unique in that scope.
Reverts the current scope back to the last state when the scope was selected. For the roster scope, this would be the state when last committed. The –F option can be used to force the action.
Exit the compliance roster session. A verify and commit is automatically attempted if needed. The –F option can be used to bypass any commit. You can also use an EOF character to exit compliance roster.
The following exit values are returned:
An error occurred.
In the following example, compliance roster creates a new roster. The new roster, myroster, contains two nodes, 10.20.30.40 and mynode1, to be assessed against the Solaris Baseline and Solaris Recommended profiles, respectively.
example# compliance roster -r myroster compliance: No existing roster: ’myroster’, initializing roster:myroster> add node roster:myroster/node> node 10.20.30.40 roster:myroster/node:10.20.30.40> policy -b solaris -p Baseline roster:myroster/node:10.20.30.40> end roster:myroster> add node roster:myroster/node> node mynode1 roster:myroster/node:mynode> policy -b solaris -p Recommended roster:myroster/node:mynode> end roster:myroster> exitExample 2 Deriving a New Roster from an Existing Roster
In the following example, compliance roster creates a new roster. The new roster, myroster2, is derived from the existing roster myroster. The benchmark for mynode1 is set to pci-dss, and a node test_lab is added to run with the default assessment parameters.
example# compliance roster -r myroster roster:myroster> roster myroster2 roster:myroster2> select node=mynode1 roster:myroster2/node:mynode1> policy -b pci-dss roster:myroster2/node:mynode1> end roster:myroster2> add node roster:myroster2/node> node test_lab roster:myroster2/node:test_lab> end roster:myroster2> exitExample 3 Changing the Name of a Roster
The following example shows how to change the name of an existing roster:
example# compliance roster -r myroster roster:myroster> roster myroster2 roster:myroster2> commit roster:myroster2> roster myroster roster:myroster> deleteExample 4 Creating a New Roster with Functional Grouping
In the following example, compliance roster creates a new roster. The new roster, functional, contains two groups, database and webserver, to be assessed against the pci-dss and solaris profiles, respectively.
example# compliance roster -r functional functional: No such roster exists roster:functional> policy -b solaris -p Recommended roster:functional> add group roster:functional/group> group database roster:functional/group:database> policy -b pci-dss roster:functional/group:database> add node=employees.hr.widget.com; end roster:functional/group:database> add node=records.sales.widget.com; end roster:functional/group:database> match database roster:functional/group> end roster:functional> add group roster:functional/group> group webserver roster:functional/group:webserver> add node=info.hr.widget.com; end roster:functional/group:webserver> add node=manuals.mkt.widget.com; end roster:functional/group:webserver> match webserver roster:functional/group:webserver> end roster:functional> expand node=employees.hr.widget.com -b pci-dss -m database node=records.sales.widget.com -b pci-dss -m database node=info.hr.widget.com -b solaris -p Recommended -m webserver node=manuals.mkt.widget.com -b solaris -p Recommended -m webserver roster:functional> exit
See attributes(7) for descriptions of the following attributes:
All character data used by compliance roster must be in US-ASCII encoding.