nrpe charm should have ability to specify tailoring file for CIS audit

[mastier]

Currently the nrpe checker supports only the following options

cis_audit_enabled | boolean cis_audit_profile | string cis_audit_score | string

None of them allow to specify tailoring file when running audit. That is especially crucial for complicated deployments like Openstack when hardening is done against multiple application with different requirements, so the tailoring allows to enable or disable some rules and achieve score 1.0.

I suggest new option

cis_audit_tailoringfile | string

That will be required for future Charmed Openstack and Canonical Openstack deployments to be able to setup this information.

If you require more details here please let me know.

[aieri]

While I don't like that we're still relying on nrpe for CIS audit, the request is pretty straightforward and only requires amending the usg call in cron_cis_audit.py + adding the required charm config

[aieri]

context about the tailoring file can be found here: https://ubuntu.com/security/certifications/docs/usg/cis/customization

[mastier]

Cool, thanks @aieri for that triage.

[mastier]

@aieri Could we put that on the roadmap ? That will be required for our client.

[aieri]

Yes, we are planning to work on it this pulse