Closed mastier closed 2 months ago
While I don't like that we're still relying on nrpe for CIS audit, the request is pretty straightforward and only requires amending the usg call in cron_cis_audit.py
+ adding the required charm config
context about the tailoring file can be found here: https://ubuntu.com/security/certifications/docs/usg/cis/customization
Cool, thanks @aieri for that triage.
@aieri Could we put that on the roadmap ? That will be required for our client.
Yes, we are planning to work on it this pulse
Currently the nrpe checker supports only the following options
cis_audit_enabled | boolean cis_audit_profile | string cis_audit_score | string
None of them allow to specify tailoring file when running audit. That is especially crucial for complicated deployments like Openstack when hardening is done against multiple application with different requirements, so the tailoring allows to enable or disable some rules and achieve score 1.0.
I suggest new option
cis_audit_tailoringfile | string
That will be required for future Charmed Openstack and Canonical Openstack deployments to be able to setup this information.
If you require more details here please let me know.