The DNF thing wasn't exactly a bug. I was using it on a RHEL 7 server
system. The DNF package was available. It just wasn't installed. The same
with DCONF. Like you, I assumed they were installed by default.

As for the packages, I'm not saying all the packages used for fix scripts
should be installed. It's more of a standard of what commands should be
used. DNF is a package installer. However, one might be more inclined to
use YUM. So a standard for package management should be DNF or YUM. Since
it's a stated standard have the package be set as a required package.
Another example is using PWENT vs using other foundation tools like sed,
awk, and what not. (Personally, I recommend not using PWENT because I keep
getting SELinux issues with it.)

I'm pretty sure the reason it mucked up my server is because the snippet
used some classical complicated way to modify the GRUB config instead of
using GRUBBY. Although, I might be wrong.



------------------------------
Thank you for your time,

Boyd H. Ako

boyd.hanalei....@gmail.com
https://www.boydhanaleiako.me
Cell Phone: (424) 244-9653PGP/GPG Public Key:
https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
------------------------------


On Tue, Jan 15, 2019 at 12:19 AM Watson Sato <ws...@redhat.com> wrote:

>
> Hello,
>
> On Sun, Jan 13, 2019 at 3:22 AM Boyd Ako <boyd.hanalei....@gmail.com>
> wrote:
>
>> So, after playing around with oscap remediation fix I think there should
>> be a standard on what commands “CAN” be used and have them set as a
>> required package for opens cap. Yes, I know that that “generate fix” should
>> be used cautiously.
>
>
> It would be impractical to have OpenSCAP or SSG to require every package
> used within in any fix script.
>
> But, I noticed some of the FIX snippets in the SSGs used some commands
>> that I didn’t have installed like DNF and DCONF.
>>
>
> The suggested fix script used DNF command on a system which doesn't use
> DNF? This looks like a bug.
>
>
>> I would also imagine some of those commands are used to determine the
>> findings.
>>
> Unless you are using SCE (Script Checking Engine), that should not be the
> case, the checks in SSG rely on OVAL to evaluate the system.
> So OpenSCAP scanner should already require everything it needs to be able
> to scan.
>
>
>>
>> I could be wrong and that sort of thing is already in place. But, I just
>> don’t know where it’s stated and defined.
>>
>>
>>
>>
>> Domo,
>>
>> Boyd H. Ako
>>
>>
>> boyd.hanalei....@gmail.com
>> (424) 244-9653
>> https://www.boydhanaleiako.me
>>
>> “Coming together is a beginning. Keeping together is progress. Working
>> together is success.” -Henry Ford
>>
>> PGP/GPG Public Key:
>> https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
>>
>> _______________________________________________
>> Open-scap-list mailing list
>> Open-scap-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/open-scap-list
>
>
>
> --
> Watson Sato
> Security Technologies | Red Hat, Inc
>
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to