I have looked into this quickly. But I haven't able to get that working. I 
haven't found
anything in the source code that uses it. It seems to me that the feature has 
been removed
without changing the documentation. I'm not sure if the removal was intended or 
if it is
a regression.

The "oscap xccdf generate fix" command only extracts the code snippets from the 
XCCDF or DS file. There is no magic logic behind that, it is a very simple 
It doesn't understand or doesn't analyze the rules that are there.

It isn't clear to me what you need. Do you try to map SSG XCCDF to XCCDF 
provided by DISA?


Jan Černý
Security Technologies | Red Hat, Inc.

----- Original Message -----
> From: "Boyd Ako" <boyd.hanalei....@gmail.com>
> To: open-scap-list@redhat.com
> Sent: Wednesday, January 9, 2019 1:32:48 AM
> Subject: [Open-scap] Making Fix Templates
> Aloha,
> So I had a couple questions.
> A) Is using the Fix Template function still being supported?
> B) Is there more detailed documentation on creating the template? I'm already
> aware of the XSL "legacy" files in /usr/share/openscap/xsl. I seem to be
> having issues with openscap outputing anything from the
> legacy-fixtpl-bash.xml as it is or when I try to modify the "fixentry" to
> map to a rule.
> C) If the Fix Template function is more or less dead in the water, is there a
> way I can "convey" fixes for the remediation script generation that's either
> local or on premise? I know that OpenSCAP does have a bunch of fixes for the
> SSGs. But I can't really reach them due to isolation and even if I could it
> wouldn't be permitted since it's "external" to "DISA Approved" stuff.
> My environment: As awesome as it is that there's SSGs for DISA RHEL 7, I
> can't use it because it doesn't have the MAC and Sensitivity profiles in the
> actual RHEL 7 Benchmark from the DISA XCCDF. So, I'm using the the XCCDF
> from DISA with the appropriate profile and none of the "rules" seem to match
> any of the remediation fixes for the failed rules. Also due to networking
> infrastructure, I'm more or less isoalted so fetching remote resources is
> out.
> Thank you for your time,
> Boyd H. Ako
> boyd.hanalei....@gmail.com
> https://www.boydhanaleiako.me
>       Cell Phone:     (424) 244-9653 PGP/GPG Public Key:
>       https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

Open-scap-list mailing list

Reply via email to