Despite the fact that oscap-ssh accepts the `--remediate` flag, remote remediation cannot work unless the scap-security-guide is installed on the remote machine.
So I suppose my questions about this feature are moot. Thanks! =Fen On Thu, Apr 28, 2016 at 1:52 PM, Fen Labalme <f...@civicactions.com> wrote: > Attached are my scan results. I'll be going over these today (well, more > likely tomorrow) to and will let you know soonest should I find anything. > > I've had difficulty generating a fix file as I'm scanning remotely using > oscap-ssh which doesn't support the "generate" argument. > > Thanks for your support - OpenSCAP rocks! > =Fen > > > On Thu, Apr 28, 2016 at 3:36 AM, Jan Cerny <jce...@redhat.com> wrote: > >> Hi Fen, >> >> The RHEL7 STIG profile contains some rules that check configuration of >> the SSH server. For some of them there are remediation script provided. >> There are quite a lot of them: >> - Allow Only SSH Protocol 2 >> - Set SSH Idle Timeout Interval >> - Set SSH Client Alive Count >> - Disable SSH Support for .rhosts Files >> - Disable Host-Based Authentication >> - Disable SSH Root Login >> - Disable SSH Access via Empty Passwords >> - Enable SSH Warning Banner >> - Do Not Allow SSH Environment Options >> - Use Only Approved Ciphers >> - Use Only FIPS Approved MACs >> (Hopefully I haven't forgotten any other.) >> >> Maybe you have discovered a bug in some of the remediation scripts >> for some of these rules. To identify the problem, we have to check >> the scan results and find which rules your system didn't pass. >> The we can go trough each of them, find why they didn't pass and compare >> this >> with the remediation scripts. It is possible that your system was in >> configuration >> that the remediation scripts does not cover. >> >> Please, could you provide your scan results? >> It would greatly help us to investigate your problem. >> Have you done any customization of the profile? >> >> If you find any possible reason, please share it with us. >> Thank you >> >> Best Regards >> >> Jan Černý >> Security Technologies | Red Hat, Inc. >> >> ----- Original Message ----- >> > From: "Fen Labalme" <f...@civicactions.com> >> > To: "open-scap-list" <open-scap-list@redhat.com> >> > Sent: Friday, April 22, 2016 12:14:04 AM >> > Subject: [Open-scap] oscap-ssh based remediation killing remote server >> > >> > Hi, >> > >> > I'm running oscap-ssh on CentOS 7 using oscap-user and the `sudo` >> option. >> > Running a scan on a remote server works great (thank you!): >> > >> > >> > >> > oscap-ssh sudo oscap-user@192.168.56.102 22 xccdf eval --profile >> > xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream >> > --results-arf scans/results-arf.xml --results scans/results.xml --report >> > scans/results.html scap/ssg-centos7-ds.xml >> > >> > Then I run a remediation with the line: >> > >> > >> > >> > oscap-ssh sudo oscap-user@192.168.56.102 22 xccdf eval --remediate >> --profile >> > xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream >> --results >> > scans/remediation-results.xml --fetch-remote-resources >> > scap/ssg-centos7-ds.xml >> > >> > This completely kills access to the server at 192.168.56.102 (via host >> or >> > dashboard). >> > >> > Am I calling remediation incorrectly? Has anyone else seen anything like >> > this? No obvious errors are reported. >> > >> > Suggestions on how to debug what step might be killing the server are >> > welcome. Note that it doesn't die until the SSJ connection is closed, >> e.g. >> > after: >> > >> > >> > >> > Shared connection to 192.168.56.102 closed. >> > oscap exit code: 2 >> > Copying back requested files... >> > results.xml 100% 1889KB 1.9MB/s 00:00 >> > Removing remote temporary directory... >> > Disconnecting ssh and removing master ssh socket directory... >> > Exit request sent. >> > >> > The exact steps I'm using are captured in a completely self-contained >> ansible >> > role test setup (that uses vagrant) documented - shpuld you want to >> recreate >> > my process - at >> > >> https://github.com/openprivacy/ansible-role-govready/blob/master/tests/README.md >> > >> > Thanks, >> > =Fen >> > >> > -- >> > Fen Labalme, CISO at CivicActions.com >> > Security | Quality | DevOps >> > mobile: 412-996-4113 >> > github/skype/twitter: openprivacy >> > >> > _______________________________________________ >> > Open-scap-list mailing list >> > Open-scap-list@redhat.com >> > https://www.redhat.com/mailman/listinfo/open-scap-list >> > > > > -- > Fen Labalme, CISO at CivicActions.com > Security | Quality | DevOps > mobile: 412-996-4113 > github/skype/twitter: openprivacy > -- Fen Labalme, CISO at CivicActions.com Security | Quality | DevOps mobile: 412-996-4113 github/skype/twitter: openprivacy
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list