So it might be my mail client, but I'm struggling to discern who is saying what in this thread. I added in some >> indicators but may have gotten them wrong.
On Friday, April 05, 2013 12:23 AM, Shawn Wells wrote: >> On 3/29/13 3:08 PM, Aaron Lamb wrote: >> I've been meaning to chime in on this topic but have been extremely busy as >> of late. > Thanks for taking time to contribute to the conversation! Many people seem to > think commuting code is the only way to contribute; getting engaged in > conversations is *extremely* valuable. >> I have already been writing scripts based off the SSG output and slowly >> working towards something usable. The main thing I have been working >> towards follows these 3 rules when it comes to remediation.. >> 1: If we need to change a file, make a time stamped copy before changing the >> file. >> 2: If a file is modified, lets put a comment on what was done with a date >> and SSG Rule ID >> 3: Write stdout and stderr to a log file. Whatever happens, I want to know >> about it. > I agree with the logic behind #3, however note that output is captured by > OpenSCAP natively (thus the scripts don't need their own log files). Check > out Simon Lukasik's awesome writeup here: http://isimluk.livejournal.com/3573.html > Specifically, the <message> tags within <rule-result>'s For point #3 I disagree. I think that the scripts themselves should not know or care where information is getting logged to. Basic info should be written to stdout by default, error information should be written to stderr by default. Tools such as the oscap tool can then capture this information and log it accordingly (possibly based on whether a user passes in a --verbose option or has different config options set). I think that having one configuration point for logging will make the most sense in the long run and that point should be the tool consuming the content. Thus is a tool provides the options you can configure logging however you like for your system: I want my audit results to go to spot A I want my remediation results to go to spot B If verbose, capture the stdout information somewhere If non-verbose, only capture the stderr information I think we should have a more involved conversation about the approach to writing remediation content for SSG. I will send a patch up momentarily (purely to facilitate this discussion) demonstrating how we were originally writing SSG-targeted scripts in Aqueduct [1]. My concern is that there may be some clash between script-authorship best practices and SSG-content-authorship best practices. From our quick conversation after the workshop it seems like Jeff and Shawn are both on the same page re: scripts should live directly in the <fix> tags when content hits a consuming system; they should not be kept in separate .sh files and reference from within the <fix> tag. This poses a problem for authorship with regards to functional programming and code maintenance. As you will be able to see from the patches I forward over, we took the approach of grouping common tasks into one common function to perform those tasks and passing in parameters as appropriate for a particular fix. This relied on having the common function in its own file and sourcing (the bash '.' operator) that file for specific fix-scripts. This is basic programming best-practice to keep from copy/pasting code across multiple areas. If all of the bash scripts will live within one XCCDF XML file, each in discrete <fix> tags, I'm not sure what approach the community would like to take regarding function re-use. It seems like some pre-processing may be necessary; i.e. resolve the source operator before inserting the script content into the <fix> tag. The goal is to only have one copy of a specific function saved in the SSG repo but to be able to use it for multiple <fix>es which differ only in one parameter. It seems like a good time to start pushing these conversations given the recent questions popping up on the list. Thoughts? - Francisco [1] - Aqueduct SSG-targeted remediation scripts - https://fedorahosted.org/aqueduct/browser/trunk/compliance/Bash/SSG _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
