I’m interested to hear how people are managing compliance policies. Are you applying them at a provider/cluster level, or individual VMs? How are you distinguishing between OS versions?
I started looking at the ShellShock policy that @jonnyfiveiq did and it’s limited to RHEL 6.5. How do folks generalize that? Rather than a “Linux Security Check” profile, do you do individual “Red Hat 6 Security Check”, “Red Hat 7 Security Check”, “Ubuntu 14 Security” profiles?
Can we use the scope on the policy to be more specific and have a single “Linux Security Check” profile that includes “RHEL 6 Shell-Shock Vulnerability”, “RHEL 7 Shell-Shock Vulnerability” and “Ubuntu 14 Shell-Shock Vulnerability” Policies?
Interested in hearing how folks are doing things.