While it is recommended that users take advantage of the
ScanSettingBinding objects to define the suites and scans, there are valid use cases to define the
ComplianceSuite objects directly:
Specifying only a single rule to scan. This can be useful for debugging together with the
debug: true attribute which increases the OpenSCAP scanner verbosity, as the debug mode tends to get quite verbose otherwise. Limiting the test to one rule helps to lower the amount of debug information.
Providing a custom nodeSelector. In order for a remediation to be applicable, the nodeSelector must match a pool.
Pointing the Scan to a bespoke config map with a tailoring file.
For testing or development when the overhead of parsing profiles from bundles is not required.
The following example shows a
ComplianceSuite that scans the worker machines with only a single rule:
- name: workers-scan
ComplianceSuite object and the
ComplianceScan objects referred to above specify several attributes in a format that OpenSCAP expects.
To find out the profile, content, or rule values, you can start by creating a similar Suite from
ScanSettingBinding or inspect the objects parsed from the
ProfileBundle objects like rules or profiles. Those objects contain the
xccdf_org identifiers you can use to refer to them from a