Enforce and ignore controls within a single configuration

Starting with SCE for Linux v2.1.0, the only key and the ignore key are no longer mutually exclusive. If you specify both keys, SCE first applies the value of the only key and then applies the ignore key.

You can define a group of controls to be enforced by using the only key and then disable individual controls by using the ignore key, as shown in the following example:

Copy
# control-repo/data/nodes/node1.yaml 
sce_linux::benchmark: 'cis' 
sce_linux::config: 
  profile: 'server' 
  level: '1' 

  only: 
    - 'ensure_aide_is_installed' 
    - 'ensure_filesystem_integrity_is_regularly_checked' 
  ignore: 
    - 'ensure_aide_is_installed'