On 2/17/14, 1:45 PM, Kordell, Luke T wrote:
Thank you for the input Shawn. I guess the sites I have been referencing are a little
dated. Since we are not imbedding bash in the rule .xml file how do we point oscap toward
the script during the remediation phase. I tried passing the --remediate argument to
oscap but it gave an "unrecognized option" error.
You may find Šimon Lukašík's blog on OpenSCAP Remediation helpful:
http://isimluk.livejournal.com/3573.html
In short:
$ oscap xccdf eval --result ~/my-results-xccdf.xml
/usr/share/scap/my-policy-xccdf.xml
$ oscap xccdf remediate --results ~/my-results-xccdf.xml
~/my-results-xccdf.xml
Also, how are the rules pointing to the remediation scripts in the fixes
directory if we are no longer using fix tags?
The build process will take all XCCDF rules, look for a bash script
matching the XCCDF rule name, and then create the fix tag in the final
output.
Ref
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL/6/transforms/combinefixes.py
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL/6/transforms/xccdf-addfixes.xslt
To see this in action:
[shawn@SSG-RHEL6 6]$ pwd
/var/www/html/scap-security-guide/RHEL/6
[shawn@SSG-RHEL6 6]$ make content
[shawn@SSG-RHEL6 6]$ grep -rin "<fix" output/ssg-rhel6-xccdf.xml
..... and then find the line numbers in the output/ssg-rhel6-xccdf.xml file
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
