On 01/06/2018 04:36 PM, Olivier BONHOMME wrote:
Le 12/12/2017 à 19:09, Marek Haicman a écrit :
Hi Chuck,
it's definitely not like we are moving away from bash remediations
towards Ansible. As the remediation during scan is still bash-only, bash
is still important part of SSG. It's true that in upstream SSG we tried
to get Ansible to parity with bash, and it's even true that in some
cases Ansible remediation is easier to make, thus is implemented first.
Basically - it's more about resources available, and not much about our
agenda. And with Ansible remediations on par with bash, we should be
able to fix both.
Regards,
Marek
Hello Marek,
As a newbie into the SSG community, there are things about fixes that
are not very clear to me.
You said that remediations are bash-only. However, when I look at the
DS/XCCDF+OVAL files generated, I can see that for some rules, there are
only ansible fixes and no bash fixes.
And when I did some tests on my side, I realized that some remediations
were in error because ansible wasn't installed or because I had an old
version of ansible.
SSG guys seems to say there is always a bash fallback as it has been
discussed here :
https://github.com/OpenSCAP/scap-security-guide/issues/2467.
But when I see the generated file, I wonder how it can be possible. So
is it possible to clarify the following questions :
- Is ansible mandatory for some remediations ?
- If yes, is it possible to provide the minimum version needed for
applying the remediations into a correct way.
- Does oscap really fallback to bash when ansible fails ? If yes, how
does it work ?
Thanks again for the answers.
Regards,
Olivier Bonhomme
Hi Olivier,
there's no such complexity. If you run `oscap xccdf eval ... --remediate
...`, it will perform bash remediation. There is no way to run ansible
or any other snippets during this "scanner remediation".
Missing bash remediations, where ansible remediation is available might
be because of already available ansible module, which makes it much
easier to create ansible fix, than to write sensible bash. But it's
definitely not a state we want to end with. Our goal is to have
remediations for all rules that makes sense to remediate. Currently to
have complete coverage in combination of anaconda (that's small subset
of all rules needs to be covered during installation) + bash, and
anaconda + ansible. We want both combinations to yield full results.
Unfortunately we are not there, yet.
So to answer the questions:
- ansible might be currently the only option, but it's not design
decision but result of missing bash (basically a bug)
- that's something we should look into, at least have it in the
comment section - I have created an issue:
https://github.com/OpenSCAP/openscap/issues/945
- nope, you would have to run both manually :)
Hope it makes sense,
Marek
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
