Common Configuration Enumerations are valuable from a remediation standpoint. It’s nice to correlate the check and fix configuration parameters. In most cases the check and fix should be using the same configuration parameters with differing values for assessment and remediation.
-ln -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Simon Lukasik Sent: Thursday, December 19, 2013 6:44 AM To: [email protected] Subject: Re: Generate Fix On 12/18/2013 09:33 PM, Shawn Wells wrote: > On 12/18/13, 11:39 AM, Simon Lukasik wrote: >> You can then verify the fix by running: >> >> $ oscap xccdf generate fix \ >> --output my-fixes.xml >> --profile usgcb-rhel6-server \ >> --template urn:xccdf:fix:script:sh \ >> ./scap-security-guide/RHEL6/dist/content/ssg-rhel6-xccdf.xml >> >> No need to run it on a system. Nor sed. > > > Incredibly handy! Two things: > > (1) On OpenSCAP 0.9.12-1, the output file is chmod'd to 100. Could this > be something more reasonable -- such as inheriting the umask value, or > perhaps 500, as this will be a script to execute? > Yep, there was a bug in mask as well. It should have been created with 700 now. > (2) The output file does not include any of the CCE information. Is > there a way to have this included (happy to open an RFE if needed)? > I am wondering for whom is the CCE useful in the fix script. But yes, you can file an RFE for anything. ;-) -- Simon Lukasik Security Technologies _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
