How to Create a Roster for Multiple Remote Assessments

You must become an administrator who is assigned the Compliance Assessor rights profile on both systems. For more information, see Configuring Administrators to Run Remote Compliance Commands. See also Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

In this procedure, you create a roster to run assessments on several remote systems at once. Rosters use the node parameter to identify systems.

1. Name the roster.

   $ pfexec compliance roster -r example-roster
   *** compliance roster: No existing roster: 'example-roster', initializing
   roster:example-roster>

2. Add two systems to the roster.

   roster:example-roster> add node
   roster:example-roster/node> node
   node1
   roster:example-roster/node/node1> end
   roster:example-roster> add node
   roster:example-roster/node> node
   node3
   ; end
   roster:example-roster> info; expand
   info:  roster:example-roster, 2 node(s)
     node:node1
     node:node3

3. Commit your changes.

   roster:example-roster> commit; list
   example-roster
   roster:example-roster> exit

4. Specify more details for the nodes.

   $ pfexec compliance roster -r example-roster
   roster:example-roster> select node=
   node1
   roster:example-roster/node:node1>  help structure
    The roster hierarchy consists of these object types
    and their associated properties:
       roster: (policy, match)
           node: (policy, match)
           group: (policy, match)
               node: (policy, match)

   At the node level, you can specify a policy different from the default policy. You can also tag the assessment with a keyword-value pair, and then later match assessments based on the tag.

5. View the contents of the roster.

   The expand subcommand in Step 2 displays the contents of the roster.

   You can also export the roster to view it in an editor.

   $ pfexec compliance roster -r example-roster
   roster:example-roster> export -o example-roster.txt

6. Modify the contents of the roster.

   You must be in the correct scope of the roster to change an item.

   For example, to change a node name that you mistyped, go to the node and change the node name.

   $ pfexec compliance roster -r example-roster
   roster:example-roster> select node node=node3
   roster:example-roster/node:node3> node node2; end
   roster:example-roster> commit; expand
     node:node1
     node:node2

Example 2-6 Setting Compliance Policy in a Roster

In this example, the administrator sets a policy on the node that is different from the default policy on the system.

$ pfexec compliance roster -r example-roster
roster:example-roster> select node=mysparc
roster:example-roster/node:mysparc> help policy
Syntax: policy [-b benchmark] [-p profile] [-t tailoring]
 sets the policy within the current scope
 The -p option can't be used with the -t option.
 Use no options to specify that this scope will inherit from an upper scope.
roster:example-roster> select node=mysparc
roster:example-roster/node:mysparc> policy -b solaris -p Recommended
roster:example-roster/node:mysparc>  end
roster:example-roster> commit
roster:example-roster> info ; expand
info:  roster:example-roster, 2 node(s)
  node:myx86
  node:mysparc       profile=Recommended benchmark=solaris

At the roster level, the policy subcommand would set the policy for all nodes in the roster that did not have an explicit policy setting at the node level. When you run the assessments using the roster, the default compliance policy that is set on the systems that are being assessed is not used.

Example 2-7 Canceling an Error in a Roster

In this example, the administrator notes the error as it is made and cancels it.

roster:example-roster/node:mysparc> policy -b solaris -p Baseline
roster:example-roster/node:mysparc> cancel
Canceling node modifications
roster:example-roster/node:mysparc> policy -b solaris -p Recommended
roster:example-roster/node:mysparc> info
info:  node:mysparc policy(-b solaris -p Recommended)

Example 2-8 Renaming a Group, Node, or Roster

In this example, the administrator renames existing rosters, groups, and nodes in the interactive editor and commits the changes.

roster:example-roster> select node=mysparc
roster:example-roster/node:mysparc> node mysparc1   << renamed node
roster:example-roster/node:mysparc1> end
roster:example-roster> roster myexample1            << renamed roster
roster:myexample1> select group=labsystems
roster:myexample1/group:labsystems> group labs      << renamed group
roster:myexample1/group:labs> end
roster:myexample1> commit

Example 2-9 Importing a Corrected Roster

In this example, the administrator found an error in a group name. Rather than recreate the group in the interactive editor, the administrator exported the roster, fixed the spelling, gave the roster a new name, imported the new version, and deleted the roster.

$ pfexec compliance roster -r trial1
roster:mysparc> export -o trial1.txt; exit

$ cp trial1.txt trial2.txt
pfedit trial2.txt
roster trial1
policy -b solaris -p Recommended
add group=sarc
  add node=mysparc1
    end
  add node=mysparc2
    end
  end

roster mysparcs
policy -b solaris -p Recommended
add group=sparc
  add node=mysparc1
    end
  add node=mysparc2
    end
  end
:wq

$ pfexec compliance roster -f trial2.txt
roster:mysparcs>  info ; expand
info:  roster:mysparcs policy(-b solaris -p Recommended), 1 group(s)
  node:mysparc1  profile=Recommended benchmark=solaris
  node:mysparc2  profile=Recommended benchmark=solaris
roster:mysparcs>  commit

roster:mysparcs>  list
        mysparcs
        trial1
roster:mysparcs> roster trial1
roster:trial1> delete
OK to delete roster 'trial1' (y/N)? y
$