Some awk-ing in the ssg-rhel7-xccdf.xml from 1.36 showed the following rules with only ansible fixes:
accounts_root_path_dirs_no_write audit_rules_dac_modification_fchmod audit_rules_dac_modification_fchown audit_rules_privileged_commands audit_rules_privileged_commands_su audit_rules_privileged_commands_sudo audit_rules_unsuccessful_file_modification_open dconf_gnome_banner_enabled dconf_gnome_disable_automount dconf_gnome_disable_ctrlaltdel_reboot dconf_gnome_disable_geolocation dconf_gnome_disable_restart_shutdown dconf_gnome_disable_thumbnailers dconf_gnome_disable_user_admin dconf_gnome_disable_user_list dconf_gnome_disable_wifi_create dconf_gnome_disable_wifi_notification dconf_gnome_screensaver_lock_delay dconf_gnome_screensaver_user_info firewalld_sshd_port_enabled gnome_gdm_disable_automatic_login gnome_gdm_disable_guest_login mount_option_dev_shm_nodev mount_option_dev_shm_noexec mount_option_dev_shm_nosuid mount_option_home_nodev mount_option_home_nosuid mount_option_var_tmp_nodev mount_option_var_tmp_noexec mount_option_var_tmp_nosuid rpm_verify_hashes sebool_httpd_can_network_connect sebool_secure_mode set_password_hashing_algorithm_libuserconf sshd_disable_rhosts sshd_enable_x11_forwarding sssd_memcache_timeout sssd_offline_cred_expiration sssd_ssh_known_hosts_timeout ---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc. (518) 881-1183 On Tue, Dec 12, 2017 at 2:17 PM, Marek Haicman <[email protected]> wrote: > On 12/12/2017 07:31 PM, Chuck Atkins wrote: > >> Hi Marek, >> >> My apologies for the ranting tone, that was not my intent; it's just been >> a very frustrating transition with the SSG from RHEL6 + STIG -> RHEL7 + >> OSPP since what would easily be a well-documented single-command process to >> bring the first into compliance is not so clear-cut for the second. >> >> Basically - it's more about resources available, and not much about >> our agenda. And with Ansible remediations on par with bash, we >> should be able to fix both. >> >> >> I'm all about having better, more easily maintained content. So, given >> the current state of things, what is the right way to use the SSG and it's >> combined ansible and bash fix content to being a RHEL7 machine into >> compliance with the OSPP profile? >> >> Thanks. >> >> It was not intention to force (or lead) users to combine those two ways, > so I would suggest to stick to what is more convenient for you - probably > bash. > > And you can try to use newest upstream release [1]. It has more stuff > fixed than what was shipped in RHEL7.4. (It looks like there are ~20 > failing rules, and at least 3 of them left failing by design, RHEL7.4 had > ~30 rules failing). > > Hope it helps, > Marek > > > [1] https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36 > > _______________________________________________ > scap-security-guide mailing list -- [email protected] > rahosted.org > To unsubscribe send an email to scap-security-guide-leave@list > s.fedorahosted.org >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
