The ssg-apply package provides functionality to evaluate and optionally
remediate a system based on SCAP Security Guide content.  The package
includes an ssg-apply bash script, a default configuration file, and an
ssg-apply systemd service that runs on first boot. 

ssg-apply bash script
======================================
The ssg-apply bash script invokes the oscap command using options in
the /etc/ssg-apply/override.conf file (if it exists), or in the
/etc/ssg-apply/default.conf file (if override.conf does not exist).
Using an override.conf file allows for custom configuration without
modifying the default configuration file.

ssg-apply configuration options 
======================================
Configuration options can be used to set the content file, the profile,
the tailoring file (to disable specific rules), and to enable/disable
remediation.  The default configuration (/etc/ssg-apply/default.conf)
sets "content-file" to the SCAP Security Guide ssg-sle15-ds.xml file,
"profile" to "stig", the tailoring file to "none", and "remediate" to "no".  
Note that care should be taken before enabling remediation, since applying
remediations can result in a system that is secure to the point of being
unusable.

ssg-apply output
======================================
The ssg-apply script writes oscap output to
/var/log/ssg-apply/ssg-apply-<timestamp>.out and debug output to
/var/log/ssg-apply/ssh-apply-<timestamp>.log.

ssg-apply systemd service
======================================
The ssg-apply systemd service runs on boot if the /var/log/ssg-apply
directory does _not_ contain a *.out file.  Therefore, the service will
always run on first boot, and it can be "triggered" to run on a subsequent
boot by removing /var/log/ssg-apply/*.out.
