While it is recommended that users take advantage of the ScanSetting and ScanSettingBinding objects to define the Suites and Scans, there are valid use cases to define the ComplianceSuites directly:
Specifying only a single rule to scan. This can be useful for debugging together with the
debug: true attribute which increases the OpenSCAP scanner verbosity, as the debug mode tends to get quite verbose otherwise. Limiting the test to one rule helps to lower the amount of debug information.
Providing a custom nodeSelector. In order for a remediation to be applicable, the nodeSelector must match a pool.
Pointing the Scan to a bespoke ConfigMap with a tailoring file.
For testing or development when the overhead of parsing profiles from bundles is not required.
The following example shows a ComplianceSuite that scans the worker machines with only a single rule:
- name: workers-scan
The ComplianceSuite object and the ComplianceScan objects referred to above specify several attributes in a format that OpenSCAP expects.
To find out the profile, content, or rule values, you can start by creating a similar Suite from ScanSetting and ScanSettingBinding or inspect the objects parsed from the ProfileBundles like Rules or Profiles. Those objects contain the
xccdf_org identifiers you can use to refer to them from a ComplianceSuite.