On Tue, Dec 17, 2013, at 02:49 AM, Simon Lukasik wrote: > On 12/15/2013 08:45 PM, [email protected] wrote: > > Going through the SCAP & STIG Workshop March 2013 I learned that I can > > generate a shell script to fix items that were discovered during the > > scan: > > # oscap xccdf generate fix --result-id > > xccdf_org.open-scap_testresult_stig-rhel6-server > > /var/www/html/studentX-results.xml > > > > Is it possible to generate a shell script that has all the available > > remediations regardless of a pass or fail. In other words I want to > > generate a remediation shell script that doesn't rely on the output > > results file, but has every remediation that is available in the xccdf > > included in the shell script. > > Hello Joescap, > > Have you tried to omit the --result-id option? When you provide > --profile instead of --result-id you should get the list of remediation > scripts for guidance. > > There are two modes of generate-fix. > > (1) If you include --result-id you will get a list of fixes which *were* > executed during the scan. (2) If you supply --profile instead, you will > get all the fixes processed, as if oscap was scanning. > > The latter mode is more evolved. It supports text substitution, CPE, > datastreams, and tailoring support is on its way. The former is written > in XSLT and may be dropped/rewritten from future releases [1]. > > Best regards, > > -- > Simon Lukasik > Security Technologies > > [1]: > https://git.fedorahosted.org/cgit/openscap.git/commit/?id=ec3a873eec3691fb7d967653c203409c0a8765dc >
Thank you for the response. I tried omitting the --result-id and changing it to --profile and nothing is returned. Tried a few different ways and either got nothing returned or an error. I then used a sed command and changed everything from pass to fail and re-ran the original command with the result-id and got a lot more output. I assume everything that there was a fix for. If I wanted to generate a fix for every possible test that there is a fix for, I assume a would have to create a profile that checks everything, run it on a system to generate a results file, get the --profile to work (or use the sed option) and run the oscap generate fix command against the results file? Is there a better way? _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
