On Mon, 25 Mar 2013 22:14:40 -0400 Shawn Wells <[email protected]> wrote:
> I've been taking a few off-list questions around remediation lately, > namely from interested parties asking "where do we start?" Wanted to > move those conversations to on-list. Here's a few of the common > questions and my thoughts to get us started. > > > (1) What language(s) should be used? > > IMO, bash. I'm leaning this way because it's included in *every* RHEL > release, whereas puppet modules would require the installation of 3rd > party software. I'd like to see as much done through 'native' tools as > possible. There's certainly advantages to Perl (e.g., potential speed) > however I don't think we want to assume Perl is installed on all RHEL > machines. > > > (2) Do we perform checking in the scripts? > > Defined further, should the scripts contain conditional checks to see if > they should be ran? > IMO, no. That's what OVAL is for. > > > (3) Where do we begin? > > - Name remediation scripts after corresponding XCCDF rule > - Build process includes them into final ssg-rhel6-xccdf.xml > > Known challenge on passing XCCDF variables through to the scripts, > however I wouldn't let this hold us up. Still *tons* of work to be done > while this gets sorted. > > > There's a good bit of RHEL6 content in the Aqueduct project that (I > believe) Tresys committed. Perhaps we could reuse those scripts? Agree with your points above. As for scripts, I've got +- 400 scripts that I'm ready to commit, but being new to the git process, I do not want to make a mistake sending all at once to the list as patches. There is also a new combinefixes.py script that fixes having the characters "<", ">", and "&" in them. How should I proceed? Thanks. -- Brian Millett "I hope that isn't the sign of some frailty in her." 'Why don't you check her *teeth* while you're at it?' "Think that's a good idea?" -- [ Na'Toth and Ivanova (re: Alisa Beldon), "Legacies"] _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
