Which rules do not have bash scripts? On Dec 12, 2017 12:24 PM, "Chuck Atkins" <chuck.atk...@kitware.com> wrote:
> I've got a small air-gapped network of only 2 machines that I'm setting > up. As such, centralized management and deployment configurations for > larger or even moderate sized networks are really way overkill. In the > past with RHEL6 I could easily do it all manually, i.e. install, apply > updates, run the STIG workstation profile with --remediate, and that would > get me 95% of the way there. The remainder was usually just manually > editing a few config files and that was it. So now that I'm trying to use > the OSPP profile with RHEL7 I'm finding it incredibly frustrating how much > just doesn't work out of the box now that much of the remediation content > is in ansible only. The mass of GDM configuration parameters can't even be > set by "remediate" anymore because so much of the fix content is now > ansible only. > > Given the mix of ansible and bash content, what's the right now to use > this now? Should I evaluate once and generate the ansible remediation > playbook, apply it, then evaluate again with --remediate to apply the > remaining bash fixes? I've read a lot of "you can do these things with the > ansible content now" but nothing that's really along the lines of how to > actually generate and use it. Earlier versions of the SSG were very easy > to get a system up and running and almost in complete compliance with the > government profiles, right out of the box with a single command. The path > to do this seems to have greatly increased in complexity, or at the very > least, is no longer documented how to do so easily. > > I certainly appreciate the extra capability and content being added into > the SSG, so I don't want this to just be a rant on diminishing that. I do > feel, however, that it has come at the cost of usability. > > ---------- > Chuck Atkins > Staff R&D Engineer, Scientific Computing > Kitware, Inc. > > > On Tue, Dec 12, 2017 at 11:52 AM, Watson Yuuma Sato <ws...@redhat.com> > wrote: > >> Hello Chuck, >> >> On 12/12/17 17:35, Chuck Atkins wrote: >> >> There seems to be a mix of ansible and bash for fix-up scripts, in that >> some rules only have bash fixes, others only have ansible fixes, while most >> have both, and a few still have none. When applying remediation during a >> scan, which ones get used? >> >> When doing on-line remediation, i.e. by option "--remediate", the bash >> fixes are applied. >> >> Is there a way to specify? >> >> Unfortunately no, the default is to use bash, and there is no way to >> change it. >> >> If I have ansible installed, will the ansible fixes automatically get >> used? If the ansible ones are being used? Do the bash-only fixes get run >> as well? What about rules that have both? >> >> Ansible remediations are not applied automatically, oscap can't consume >> ansible fixes. They should be used by ansible to fix the machine. >> >> Oscap can only generate a script fix based on one kind of remediation, it >> doesn't know how to use mainly one type of fix, and fill the gaps with >> other types of remediation, but this feature sounds interesting and useful. >> >> >> Thanks >> ---------- >> Chuck Atkins >> Staff R&D Engineer, Scientific Computing >> Kitware, Inc. >> >> >> >> _______________________________________________ >> scap-security-guide mailing list -- >> scap-security-guide@lists.fedorahosted.org >> To unsubscribe send an email to >> scap-security-guide-le...@lists.fedorahosted.org >> >> >> -- >> Watson Sato >> Security Technologies | Red Hat, Inc >> >> >> _______________________________________________ >> scap-security-guide mailing list -- scap-security-gu...@lists.fedo >> rahosted.org >> To unsubscribe send an email to scap-security-guide-leave@list >> s.fedorahosted.org >> >> > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > >
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org