Le 12/12/2017 à 19:09, Marek Haicman a écrit : > Hi Chuck, > it's definitely not like we are moving away from bash remediations > towards Ansible. As the remediation during scan is still bash-only, bash > is still important part of SSG. It's true that in upstream SSG we tried > to get Ansible to parity with bash, and it's even true that in some > cases Ansible remediation is easier to make, thus is implemented first. > > Basically - it's more about resources available, and not much about our > agenda. And with Ansible remediations on par with bash, we should be > able to fix both. > > Regards, > Marek >
Hello Marek, As a newbie into the SSG community, there are things about fixes that are not very clear to me. You said that remediations are bash-only. However, when I look at the DS/XCCDF+OVAL files generated, I can see that for some rules, there are only ansible fixes and no bash fixes. And when I did some tests on my side, I realized that some remediations were in error because ansible wasn't installed or because I had an old version of ansible. SSG guys seems to say there is always a bash fallback as it has been discussed here : https://github.com/OpenSCAP/scap-security-guide/issues/2467. But when I see the generated file, I wonder how it can be possible. So is it possible to clarify the following questions : - Is ansible mandatory for some remediations ? - If yes, is it possible to provide the minimum version needed for applying the remediations into a correct way. - Does oscap really fallback to bash when ansible fails ? If yes, how does it work ? Thanks again for the answers. Regards, Olivier Bonhomme _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
