About compliance exceptions

Typically, you use compliance rules that provide enough latitude to validate most components.

For example, when defining a rule you can specify an acceptable range of values rather than a single value. Even with this level of flexibility, a component may not always satisfy compliance rules in some circumstances. In such a situation, you can set up compliance exceptions that excuse a particular component from meeting some or all compliance rules defined in the component template.

Exceptions can be defined for an entire compliance rule. You can also narrow the applicability of an exception to a specific system object if that object can be expressed as a path, such as a file with a particular name or a particular value within a configuration file.

For example, suppose you want to define a rule stating that only two names can exist within the etc/passwd file. You define a compliance rule stating that the /etc/passwd configuration file must exist and that the only entries allowed within it are Admin and SupportLevel2. Such a rule would look like this:

Using a wildcard in the second condition instructs the compliance rule to examine all values listed within the /etc/passwd configuration file.

For an individual component, you can grant an exception to this rule, which means that the rule can be ignored for that component. If you want a more specific exception, you can specify a particular user entry in the configuration file that should be ignored. If you wanted to allow a user called SupportLevel1 in the /etc/passwd file, you could instruct the system to ignore the path /etc/passwd//SupportLevel1 when evaluating this compliance rule. The result is that Admin, SupportLevel1, and SupportLevel2 are all permissible entries within the /etc/passwd file for that component.