On 2/16/13 1:35 PM, Shawn Wells wrote:
EXAMPLE USAGE:
(since generate fix only produces scripts for failed rules, change all results
to fail)
if ! rpm -qa | grep -q aide; then
yum -y install aide
fi
if rpm -qa | grep -q xinetd; then
yum -y remove xinetd
fi
if rpm -qa | grep -q telnet-server; then
yum -y remove telnet-server
fi
if rpm -qa | grep -q ypserv; then
yum -y remove ypserv
fi
My patch-push script keeps dropping things it thinks are comments.
Here's the full example workflow:
# oscap xccdf eval --profile stig-rhel6-server --results
/tmp/results.xml --oval-results --cpe-dict
output/ssg-rhel6-cpe-dictionary.xml output/ssg-rhel6-xccdf.xml
since `generate fix` only does so for failed rules, change everything to
failed to get sample output:
# sed -i 's/<result>pass<\/result>/<result>fail<\/result>/g'
/tmp/results.xml
# oscap xccdf generate fix --result-id
xccdf_org.open-scap_testresult_stig-rhel6-server /tmp/results.xml
#!/bin/bash
# OpenSCAP fix generator output for benchmark: DRAFT Guide to the Secure
Configuration of Red Hat Enterprise Linux 6
# XCCDF rule: install_aide
# CCE-27024-9
if ! rpm -qa | grep -q aide; then
yum -y install aide
fi
# XCCDF rule: uninstall_xinetd
# CCE-27005-8
if rpm -qa | grep -q xinetd; then
yum -y remove xinetd
fi
# XCCDF rule: uninstall_telnet_server
# CCE-27073-6
if rpm -qa | grep -q telnet-server; then
yum -y remove telnet-server
fi
# XCCDF rule: uninstall_ypserv
# CCE-27079-3
if rpm -qa | grep -q ypserv; then
yum -y remove ypserv
fi
# generated: 2013-02-16T13:40:22-05:00
# END OF SCRIPT
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
