As a former Sysadmin for a multitude of Unix varieties I was often hit with the task of adhering to some governing policy regarding lockdown or hardening of the O/S's that I administered. One of the more challenging was compliance with DISA UNIX STIGs. If you've ever had this task, you'll know that there are three components (the STIG policy document, the SRR scripts, and a manual checklist). There was never an automated way of getting the O/S in compliance, and worse, an automated way to ensure compliance as the servers evolved over time. This rather mundane task (finding, editing, and checking a series of configuration files, CHMODs, and the like) quickly became a daily "chore". Keeping servers in-sync with one another was a task in itself and making mistakes while editing O/S configuration files could set you back a day or two.