--
On Tue, 2013-12-17 at 10:32 -0700, [email protected] wrote: > On Tue, Dec 17, 2013, at 02:49 AM, Simon Lukasik wrote: > > On 12/15/2013 08:45 PM, [email protected] wrote: > > > Going through the SCAP & STIG Workshop March 2013 I learned that I can > > > generate a shell script to fix items that were discovered during the > > > scan: > > > # oscap xccdf generate fix --result-id > > > xccdf_org.open-scap_testresult_stig-rhel6-server > > > /var/www/html/studentX-results.xml > > > > > > Is it possible to generate a shell script that has all the available > > > remediations regardless of a pass or fail. In other words I want to > > > generate a remediation shell script that doesn't rely on the output > > > results file, but has every remediation that is available in the xccdf > > > included in the shell script. > > > > Hello Joescap, > > > > Have you tried to omit the --result-id option? When you provide > > --profile instead of --result-id you should get the list of remediation > > scripts for guidance. > > > > There are two modes of generate-fix. > > > > (1) If you include --result-id you will get a list of fixes which *were* > > executed during the scan. (2) If you supply --profile instead, you will > > get all the fixes processed, as if oscap was scanning. > > > > The latter mode is more evolved. It supports text substitution, CPE, > > datastreams, and tailoring support is on its way. The former is written > > in XSLT and may be dropped/rewritten from future releases [1]. > > > > Best regards, > > > > -- > > Simon Lukasik > > Security Technologies > > > > [1]: > > https://git.fedorahosted.org/cgit/openscap.git/commit/?id=ec3a873eec3691fb7d967653c203409c0a8765dc > > > > Thank you for the response. I tried omitting the --result-id and > changing it to --profile and nothing is returned. Tried a few different > ways and either got nothing returned or an error. I then used a sed > command and changed everything from pass to fail and re-ran the original > command with the result-id and got a lot more output. I assume > everything that there was a fix for. > > If I wanted to generate a fix for every possible test that there is a > fix for, I assume a would have to create a profile that checks > everything, run it on a system to generate a results file, get the > --profile to work (or use the sed option) and run the oscap generate fix > command against the results file? Is there a better way? > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide Joe, This is how I got a list of the defined remediation scripts, "Thanks Simon": cd /var/www/html rm -rf scap-security-guide/ git clone https://git.fedorahosted.org/git/scap-security-guide.git cd scap-security-guide/RHEL6/ make all oscap xccdf eval --profile stig-rhel6-server \ --results /var/www/html/results.xml --report /var/www/html/report.html \ --cpe ./output/ssg-rhel6-cpe-dictionary.xml output/ssg-rhel6-xccdf.xml ##This worked to get the remediation scripts put into fix.txt file. oscap xccdf generate fix --profile stig-rhel6-server \ --cpe ./output/ssg-rhel6-cpe-dictionary.xml output/ssg-rhel6-xccdf.xml \ > /var/www/html/fix.txt _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
