Ok, so how do we make it happen? Trevor
On Fri, Oct 4, 2013 at 11:05 PM, Shawn Wells <sh...@redhat.com> wrote: > On 10/4/13 8:06 AM, Josh Kayse wrote: > >> On 10/04/2013 07:40 AM, Trevor Vaughan wrote: >> >>> Is Augeas an option? >>> >>> This seems like the perfect opportunity to solidify the Augeas lenses >>> regarding security settings while making life easier for everyone. >>> >>> Trevor >>> >>> >>> On Thu, Oct 3, 2013 at 9:42 PM, Shawn Wells <sh...@redhat.com >>> <mailto:sh...@redhat.com>> wrote: >>> >>> On 10/3/13 3:11 PM, fcavi...@redhat.com <mailto:fcavi...@redhat.com> >>> wrote: >>> >>>> All, >>>> >>>> As a starting point for writing remediation fixes in the SSG - so, >>>> I did the following: >>>> >>>> $ ls ~//scap-security-guide/RHEL6/**input/checks//*.xml | awk >>>> '{ >>>> print $1 }' | sed s/\.[^\.]*$// > ~/checks >>>> $ ls ~//scap-security-guide/RHEL6/**input/fixes//*.sh | awk '{ >>>> print $1 }' | sed s/\.[^\.]*$// > ~/fixes >>>> $ sdiff ~/fixes ~/checks | less >>>> >>>> There's fair a bit of work to be done for the fix remediations... >>>> >>>> Since I'm new to the project, I was wondering if there was any >>>> ideas or standards to how the SSG should distribute some of these >>>> fixes - for example - a wholesale replacement of the audit.rules >>>> and auditd.conf might be preferable than doing piecemeal sed's. >>>> >>> >>> It'd be omgz easier to `cp /usr/share/doc/audit-*/stig.**rules >>> /etc/audit.rules`, and that likely is the right choice during an >>> initial provisioning process. But then SysAdmins tailor audit rules, >>> the system evolves, and we need to evaluate the audit.rules file >>> against specific auditing guidance items after the pristine >>> audit.rules template is manipulated. >>> >>> So, if a single rule must be remediated, we can't blow away the >>> whole audit.rules file. Super fun sed scripts it is =/ >>> >>> <snip> >>> >> >> I think that augeas is a good idea. We need to be careful that rules >> that are inserted in to audit.rules happen before any '-e 2' line (if one >> exists). Otherwise they will fail to be inserted because the audit rules >> become locked. >> >> -josh >> > > Augeas and puppet would be great, their downside is they don't ship > natively with RHEL :( Part of the goal is to enable the remediation with > native tooling first. IMO, Augeas scripts would be *fantastic* for Aqueduct! > > ______________________________**_________________ > scap-security-guide mailing list > scap-security-guide@lists.**fedorahosted.org<scap-security-guide@lists.fedorahosted.org> > https://lists.fedorahosted.**org/mailman/listinfo/scap-**security-guide<https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide> > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
