On 12/17/2013 06:32 PM, [email protected] wrote: > On Tue, Dec 17, 2013, at 02:49 AM, Simon Lukasik wrote: >> On 12/15/2013 08:45 PM, [email protected] wrote: >>> Going through the SCAP & STIG Workshop March 2013 I learned that I can >>> generate a shell script to fix items that were discovered during the >>> scan: >>> # oscap xccdf generate fix --result-id >>> xccdf_org.open-scap_testresult_stig-rhel6-server >>> /var/www/html/studentX-results.xml >>> >>> Is it possible to generate a shell script that has all the available >>> remediations regardless of a pass or fail. In other words I want to >>> generate a remediation shell script that doesn't rely on the output >>> results file, but has every remediation that is available in the xccdf >>> included in the shell script. >> >> Hello Joescap, >> >> Have you tried to omit the --result-id option? When you provide >> --profile instead of --result-id you should get the list of remediation >> scripts for guidance. >> >> There are two modes of generate-fix. >> >> (1) If you include --result-id you will get a list of fixes which *were* >> executed during the scan. (2) If you supply --profile instead, you will >> get all the fixes processed, as if oscap was scanning. >> >> The latter mode is more evolved. It supports text substitution, CPE, >> datastreams, and tailoring support is on its way. The former is written >> in XSLT and may be dropped/rewritten from future releases [1]. >> >> Best regards, >> >> -- >> Simon Lukasik >> Security Technologies >> >> [1]: >> https://git.fedorahosted.org/cgit/openscap.git/commit/?id=ec3a873eec3691fb7d967653c203409c0a8765dc >> > > Thank you for the response. I tried omitting the --result-id and > changing it to --profile and nothing is returned.
Perhaps you haven't replaced the ID to match to some of the profiles. Sorry, I didn't put this explicitly in first place. > Tried a few different > ways and either got nothing returned or an error. Feel free to report to [email protected] -- if you believe that any error was unexpected. > I then used a sed > command and changed everything from pass to fail and re-ran the original > command with the result-id and got a lot more output. I assume > everything that there was a fix for. > > If I wanted to generate a fix for every possible test that there is a > fix for, I assume a would have to create a profile that checks > everything, Yes, you need to create a full blown profile. > run it on a system to generate a results file, get the > --profile to work (or use the sed option) and run the oscap generate fix > command against the results file? Is there a better way? > I have looked closely on the code and I found there was a flaw in the code [1]. It's already fixed. The fix will appear in next OpenSCAP release (1.0.2 presumably). You can then verify the fix by running: $ oscap xccdf generate fix \ --output my-fixes.xml --profile usgcb-rhel6-server \ --template urn:xccdf:fix:script:sh \ ./scap-security-guide/RHEL6/dist/content/ssg-rhel6-xccdf.xml No need to run it on a system. Nor sed. Best regards, -- Simon Lukasik Security Technologies [1]: https://fedorahosted.org/openscap/ticket/363 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
