Hi,
one option is to use remediation roles instead of --remediate,
generating them out of specific results or whole profile, and remove
offending remediations out of the role (which is either bash script, or
ansible role). It's a bit clunky, but it should work :)
Marek
On 03/02/2018 04:53 PM, Gabe Alford wrote:
Fen,
There is an RFE open in OpenSCAP for this very thing at
https://github.com/OpenSCAP/openscap/issues/633
Outside of tailoring a profile, nothing super easy from the OpenSCAP
side of the house.
Gabe
On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalme
<[email protected] <mailto:[email protected]>> wrote:
The goal is to create a hardened EC2 server on AWS from scratch.
After provisioning a new RHEL/7 instance on AWS, we run `yum -y
update` followed by the bash remediations from SSG using:
command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
--results-arf /tmp/results-arf.xml --report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
But there are some remediations I don't want to run for an EC2
server such as install_smartcard_packages.sh and dracut-fips. Is
there a way to prevent certain remediations from running?
Thanks,
=Fen
_______________________________________________
scap-security-guide mailing list --
[email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
